T1585.001 IBM QRadar · QRadar

Detect Social Media Accounts in IBM QRadar

Adversaries create and cultivate fake or impersonation social media accounts to build credible personas for use in targeting operations. These accounts may impersonate real employees, HR staff, recruiters, or industry contacts to establish trust before launching spearphishing, credential harvesting, or intelligence-gathering campaigns. Detection focuses on downstream observables: inbound social engineering emails referencing social media profiles, employees receiving suspicious connection or recruitment messages, and threat intelligence correlation identifying accounts impersonating your organization's staff. Real-world examples include HEXANE creating fake LinkedIn HR accounts offering jobs, CURIUM building networks of fictitious profiles posing as attractive contacts, Scattered Spider creating matching fake social media accounts to support identity theft, and EXOTIC LILY mimicking target company employees to gain trust before delivering malware.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1585 Establish Accounts
Sub-technique
T1585.001 Social Media Accounts
Canonical reference
https://attack.mitre.org/techniques/T1585/001/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  destinationip,
  username,
  QIDNAME(qid) AS event_name,
  LOGSOURCETYPENAME(logsourcetypeid) AS log_source_type,
  "sender" AS sender_address,
  "recipient" AS recipient_address,
  "subject" AS email_subject,
  "url" AS url_in_email,
  magnitude
FROM events
WHERE
  LOGSOURCETYPEID IN (
    -- Proofpoint, Mimecast, Microsoft Exchange, O365
    -- Use actual logsource type IDs from your QRadar deployment
    -- Common: 352 (Microsoft Exchange), 400 (Proofpoint), 433 (Mimecast)
    352, 400, 433, 465
  )
  AND CATEGORYNAME(category) LIKE '%Mail%'
  AND starttime > (CURRENT_TIMESTAMP - 86400000)
  AND (
    LOWER("subject") ILIKE '%job opportunity%'
    OR LOWER("subject") ILIKE '%career opportunity%'
    OR LOWER("subject") ILIKE '%employment offer%'
    OR LOWER("subject") ILIKE '%found your profile%'
    OR LOWER("subject") ILIKE '%connect with you%'
    OR LOWER("subject") ILIKE '%exclusive opportunity%'
    OR LOWER("subject") ILIKE '%remote position%'
    OR LOWER("subject") ILIKE '%we are hiring%'
    OR LOWER("subject") ILIKE '%recruiter%'
    OR LOWER("subject") ILIKE '%talent acquisition%'
    OR LOWER("subject") ILIKE '%exciting opportunity%'
    OR LOWER("subject") ILIKE '%work from home%'
    OR LOWER("subject") ILIKE '%freelance project%'
  )
  AND (
    LOWER("url") ILIKE '%linkedin.com%'
    OR LOWER("url") ILIKE '%facebook.com%'
    OR LOWER("url") ILIKE '%twitter.com%'
    OR LOWER("url") ILIKE '%x.com%'
    OR LOWER("url") ILIKE '%instagram.com%'
    OR LOWER("url") ILIKE '%telegram.org%'
    OR LOWER("url") ILIKE '%t.me%'
    OR LOWER("url") ILIKE '%discord.com%'
    OR LOWER("url") ILIKE '%linktr.ee%'
  )
  AND LOWER("sender") NOT ILIKE '%yourcompany.com%'
ORDER BY magnitude DESC, starttime DESC
LIMIT 500
medium severity medium confidence

AQL query for QRadar targeting inbound emails from external senders containing social engineering subject lines paired with social media URLs. Detects T1585.001 persona-driven spearphishing precursor activity by correlating email metadata from mail gateway log sources.

Data Sources

QRadar Email Log Sources (Proofpoint, Mimecast, Microsoft Exchange)QRadar Network Activity

Required Tables

events

False Positives & Tuning

  • Legitimate recruitment agencies sending job offers containing LinkedIn profile links
  • Internal HR department emails forwarded through external mail relay
  • Marketing automation tools sending newsletters with social media links
  • Vendor outreach emails from sales teams referencing company social profiles
Download portable Sigma rule (.yml)

Other platforms for T1585.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Inbound Social Engineering Email with LinkedIn URL

    Expected signal: EmailEvents: new record with SenderFromAddress='[email protected]', Subject containing 'job opportunity', Direction='Inbound'. EmailUrlInfo: record linking NetworkMessageId to 'linkedin.com/in/red-team-test-persona'. Microsoft Defender for Office 365 Safe Links may wrap the URL. Email gateway (Proofpoint/Mimecast/Cisco ESA) logs inbound message with external sender and social media URL.

  2. Test 2OSINT: Search for Fake Social Media Profiles Impersonating Company Employees

    Expected signal: Browser history: outbound GET requests to google.com, linkedin.com, twitter.com search URLs from analyst workstation. Proxy logs: requests to search engines and social media platforms from analyst IP. No malicious telemetry expected — this is a defensive OSINT exercise.

  3. Test 3Test Email Display Name Spoofing Detection

    Expected signal: EmailEvents: SenderFromAddress='[email protected]', SenderDisplayName='Jane Doe'. IdentityInfo join will match internal employee 'Jane Doe' with mismatched domain. Microsoft Defender for Office 365 anti-impersonation policy (if configured) will generate a ZapType action. Email gateway logs: From header mismatch between display name and envelope sender domain.

  4. Test 4Validate Social Media Profile Takedown Reporting Workflow

    Expected signal: Outbound HTTP requests from analyst workstation to linkedin.com, twitter.com, facebook.com, telegram.org, web.archive.org. Proxy logs record the connection attempts. No malicious telemetry expected.

Last updated: 2026-04-13 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1585.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1585Establish Accounts

Related Sub-techniques

T1585.002Email AccountsT1585.003Cloud Accounts

Related Techniques

T1585Establish AccountsT1585.002Email AccountsT1586.001Social Media AccountsT1566.003Spearphishing via ServiceT1598.002Spearphishing AttachmentT1591Gather Victim Org InformationT1592Gather Victim Host InformationT1593.001Social MediaT1204.001Malicious LinkT1078.004Cloud Accounts

Same Tactic: Resource Development

Popular Detections