Detect Social Media Accounts in Microsoft Sentinel
Adversaries create and cultivate fake or impersonation social media accounts to build credible personas for use in targeting operations. These accounts may impersonate real employees, HR staff, recruiters, or industry contacts to establish trust before launching spearphishing, credential harvesting, or intelligence-gathering campaigns. Detection focuses on downstream observables: inbound social engineering emails referencing social media profiles, employees receiving suspicious connection or recruitment messages, and threat intelligence correlation identifying accounts impersonating your organization's staff. Real-world examples include HEXANE creating fake LinkedIn HR accounts offering jobs, CURIUM building networks of fictitious profiles posing as attractive contacts, Scattered Spider creating matching fake social media accounts to support identity theft, and EXOTIC LILY mimicking target company employees to gain trust before delivering malware.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1585 Establish Accounts
- Sub-technique
- T1585.001 Social Media Accounts
- Canonical reference
- https://attack.mitre.org/techniques/T1585/001/
KQL Detection Query
let SocialMediaDomains = dynamic([
"linkedin.com", "facebook.com", "twitter.com", "x.com",
"instagram.com", "telegram.org", "t.me", "wa.me",
"discord.com", "discord.gg", "linktr.ee"
]);
let SocialEngineeringKeywords = dynamic([
"job opportunity", "career opportunity", "employment offer",
"found your profile", "connect with you", "exclusive opportunity",
"remote position", "we are hiring", "job opening", "open role",
"recruiter", "talent acquisition", "LinkedIn connection",
"exciting opportunity", "I came across your profile",
"work from home", "contractor position", "freelance project"
]);
let HighValueJobTitles = dynamic([
"CEO", "CFO", "CISO", "CTO", "COO", "VP", "Vice President",
"Director", "Manager", "Engineer", "Analyst", "Administrator",
"Developer", "Architect"
]);
// Step 1: Find inbound emails with social engineering subject lines
let SuspiciousEmails = EmailEvents
| where Timestamp > ago(24h)
| where EmailDirection == "Inbound"
| where DeliveryAction != "Blocked"
| where Subject has_any (SocialEngineeringKeywords)
| project Timestamp, NetworkMessageId, SenderFromAddress, SenderFromDomain,
RecipientEmailAddress, Subject, DeliveryLocation, DeliveryAction;
// Step 2: Join with URL info to find social media links in those emails
let EmailsWithSocialLinks = SuspiciousEmails
| join kind=inner (
EmailUrlInfo
| where Url has_any (SocialMediaDomains)
| project NetworkMessageId, SocialMediaUrl=Url, UrlDomain=UrlDomain
) on NetworkMessageId;
// Step 3: Enrich with recipient identity for high-value targeting detection
EmailsWithSocialLinks
| join kind=leftouter (
IdentityInfo
| where JobTitle has_any (HighValueJobTitles)
| project AccountUpn, TargetJobTitle=JobTitle, Department
) on $left.RecipientEmailAddress == $right.AccountUpn
| extend IsHighValueTarget = isnotempty(TargetJobTitle)
| extend ExternalSender = SenderFromDomain !endswith ".internal" and SenderFromDomain !in~ ("yourcompany.com")
| project Timestamp, NetworkMessageId, SenderFromAddress, SenderFromDomain,
RecipientEmailAddress, TargetJobTitle, Department, Subject,
SocialMediaUrl, UrlDomain, DeliveryLocation, IsHighValueTarget
| sort by IsHighValueTarget desc, Timestamp descDetects inbound social engineering emails containing social media profile links combined with recruitment or connection-related keywords — the primary downstream signal of adversary T1585.001 activity. Uses EmailEvents (primary email telemetry), EmailUrlInfo (URL extraction), and IdentityInfo (recipient role enrichment) from Microsoft Defender for Office 365. Prioritizes high-value targets (executives, engineers, administrators). This pattern matches known APT tactics: HEXANE fake LinkedIn HR recruiters, CURIUM fictitious contact personas, EXOTIC LILY employee impersonation, and Magic Hound voice + message campaigns. Note: the actual social media account creation occurs outside the victim environment; this query detects the targeting phase when fake personas make contact.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate external recruiters using LinkedIn InMail or email to contact employees about real job opportunities
- HR teams running internal talent acquisition campaigns referencing social media profiles
- Marketing or PR staff receiving social media collaboration or partnership outreach
- Security awareness training simulations sending test phishing emails with social media themes
- Industry event organizers sending networking invitations with social media links
Other platforms for T1585.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Inbound Social Engineering Email with LinkedIn URL
Expected signal: EmailEvents: new record with SenderFromAddress='[email protected]', Subject containing 'job opportunity', Direction='Inbound'. EmailUrlInfo: record linking NetworkMessageId to 'linkedin.com/in/red-team-test-persona'. Microsoft Defender for Office 365 Safe Links may wrap the URL. Email gateway (Proofpoint/Mimecast/Cisco ESA) logs inbound message with external sender and social media URL.
- Test 2OSINT: Search for Fake Social Media Profiles Impersonating Company Employees
Expected signal: Browser history: outbound GET requests to google.com, linkedin.com, twitter.com search URLs from analyst workstation. Proxy logs: requests to search engines and social media platforms from analyst IP. No malicious telemetry expected — this is a defensive OSINT exercise.
- Test 3Test Email Display Name Spoofing Detection
Expected signal: EmailEvents: SenderFromAddress='[email protected]', SenderDisplayName='Jane Doe'. IdentityInfo join will match internal employee 'Jane Doe' with mismatched domain. Microsoft Defender for Office 365 anti-impersonation policy (if configured) will generate a ZapType action. Email gateway logs: From header mismatch between display name and envelope sender domain.
- Test 4Validate Social Media Profile Takedown Reporting Workflow
Expected signal: Outbound HTTP requests from analyst workstation to linkedin.com, twitter.com, facebook.com, telegram.org, web.archive.org. Proxy logs record the connection attempts. No malicious telemetry expected.
References (9)
- https://attack.mitre.org/techniques/T1585/001/
- https://www.securityweek.com/iranian-hackers-targeted-us-officials-elaborate-social-media-attack-operation
- http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf
- https://blog.google/threat-analysis-group/exotic-lily-initial-access-broker/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
- https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity/
- https://unit42.paloaltonetworks.com/medusa-ransomware/
- https://www.clearskysec.com/siamesekitten/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1585.001/T1585.001.md
Unlock Pro Content
Get the full detection package for T1585.001 including response playbook, investigation guide, and atomic red team tests.