Detect Social Media Accounts in CrowdStrike LogScale
Adversaries create and cultivate fake or impersonation social media accounts to build credible personas for use in targeting operations. These accounts may impersonate real employees, HR staff, recruiters, or industry contacts to establish trust before launching spearphishing, credential harvesting, or intelligence-gathering campaigns. Detection focuses on downstream observables: inbound social engineering emails referencing social media profiles, employees receiving suspicious connection or recruitment messages, and threat intelligence correlation identifying accounts impersonating your organization's staff. Real-world examples include HEXANE creating fake LinkedIn HR accounts offering jobs, CURIUM building networks of fictitious profiles posing as attractive contacts, Scattered Spider creating matching fake social media accounts to support identity theft, and EXOTIC LILY mimicking target company employees to gain trust before delivering malware.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1585 Establish Accounts
- Sub-technique
- T1585.001 Social Media Accounts
- Canonical reference
- https://attack.mitre.org/techniques/T1585/001/
LogScale Detection Query
// CrowdStrike LogScale - Falcon for Email or Email Security Integration
// Detects social engineering emails with social media links for T1585.001
#event_simpleName = "EmailMessageEvent"
| in(direction, values=["inbound", "Inbound"])
// Match social engineering keywords in subject
| regex(field=subject, regex="(?i)(job opportunity|career opportunity|employment offer|found your profile|connect with you|exclusive opportunity|remote position|we.?re hiring|job opening|open role|recruiter|talent acquisition|linkedin connection|exciting opportunity|came across your profile|work from home|contractor position|freelance project)", strict=false)
// Match social media URLs
| regex(field=urls, regex="(?i)(linkedin\.com|facebook\.com|twitter\.com|x\.com|instagram\.com|telegram\.org|t\.me|wa\.me|discord\.com|discord\.gg|linktr\.ee)", strict=false)
// Exclude internal senders
| not regex(field=senderDomain, regex="(?i)yourcompany\.com")
// Risk scoring
| eval(social_eng_subject = if(match(subject, "(?i)(job opportunity|career opportunity|recruiter|talent acquisition|found your profile|we.?re hiring|exclusive opportunity)"), 1, 0))
| eval(social_media_link = if(match(urls, "(?i)(linkedin\.com|facebook\.com|twitter\.com|instagram\.com|telegram\.org|t\.me|discord\.com)"), 1, 0))
| eval(risk_score = social_eng_subject + social_media_link)
| eval(risk_label = if(risk_score >= 2, "HIGH", if(risk_score == 1, "MEDIUM", "LOW")))
| where risk_score >= 1
| table([timestamp, senderAddress, senderDomain, recipientAddress, subject, urls, risk_score, risk_label])
| sort(timestamp, order=desc)CrowdStrike LogScale (Falcon) query detecting inbound social engineering emails referencing social media platforms, consistent with T1585.001 fake persona-driven targeting. Integrates with Falcon for Email or third-party email security telemetry ingested into LogScale. Applies risk scoring based on subject keyword and URL presence.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate staffing agency outreach emails containing LinkedIn profile links
- Company-sponsored job fair or recruiting event notifications
- Industry conference networking emails referencing social channels
- Automated HR platform emails with social media sign-in links
Other platforms for T1585.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Inbound Social Engineering Email with LinkedIn URL
Expected signal: EmailEvents: new record with SenderFromAddress='[email protected]', Subject containing 'job opportunity', Direction='Inbound'. EmailUrlInfo: record linking NetworkMessageId to 'linkedin.com/in/red-team-test-persona'. Microsoft Defender for Office 365 Safe Links may wrap the URL. Email gateway (Proofpoint/Mimecast/Cisco ESA) logs inbound message with external sender and social media URL.
- Test 2OSINT: Search for Fake Social Media Profiles Impersonating Company Employees
Expected signal: Browser history: outbound GET requests to google.com, linkedin.com, twitter.com search URLs from analyst workstation. Proxy logs: requests to search engines and social media platforms from analyst IP. No malicious telemetry expected — this is a defensive OSINT exercise.
- Test 3Test Email Display Name Spoofing Detection
Expected signal: EmailEvents: SenderFromAddress='[email protected]', SenderDisplayName='Jane Doe'. IdentityInfo join will match internal employee 'Jane Doe' with mismatched domain. Microsoft Defender for Office 365 anti-impersonation policy (if configured) will generate a ZapType action. Email gateway logs: From header mismatch between display name and envelope sender domain.
- Test 4Validate Social Media Profile Takedown Reporting Workflow
Expected signal: Outbound HTTP requests from analyst workstation to linkedin.com, twitter.com, facebook.com, telegram.org, web.archive.org. Proxy logs record the connection attempts. No malicious telemetry expected.
References (9)
- https://attack.mitre.org/techniques/T1585/001/
- https://www.securityweek.com/iranian-hackers-targeted-us-officials-elaborate-social-media-attack-operation
- http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf
- https://blog.google/threat-analysis-group/exotic-lily-initial-access-broker/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
- https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity/
- https://unit42.paloaltonetworks.com/medusa-ransomware/
- https://www.clearskysec.com/siamesekitten/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1585.001/T1585.001.md
Unlock Pro Content
Get the full detection package for T1585.001 including response playbook, investigation guide, and atomic red team tests.