T1585.001 Splunk · SPL

Detect Social Media Accounts in Splunk

Adversaries create and cultivate fake or impersonation social media accounts to build credible personas for use in targeting operations. These accounts may impersonate real employees, HR staff, recruiters, or industry contacts to establish trust before launching spearphishing, credential harvesting, or intelligence-gathering campaigns. Detection focuses on downstream observables: inbound social engineering emails referencing social media profiles, employees receiving suspicious connection or recruitment messages, and threat intelligence correlation identifying accounts impersonating your organization's staff. Real-world examples include HEXANE creating fake LinkedIn HR accounts offering jobs, CURIUM building networks of fictitious profiles posing as attractive contacts, Scattered Spider creating matching fake social media accounts to support identity theft, and EXOTIC LILY mimicking target company employees to gain trust before delivering malware.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1585 Establish Accounts
Sub-technique
T1585.001 Social Media Accounts
Canonical reference
https://attack.mitre.org/techniques/T1585/001/

SPL Detection Query

Splunk (SPL)
spl 
index=email (sourcetype="cisco:esa:syslog" OR sourcetype="proofpoint:mail" OR sourcetype="mimecast:email" OR sourcetype="symantec:ep:mail" OR sourcetype="o365:management:activity")
| search direction="inbound" OR direction="Inbound" OR recipient_domain="yourcompany.com"
| eval subject_lower=lower(coalesce(subject, Subject, ""))
| eval body_lower=lower(coalesce(body, message_body, ""))
| eval urls_lower=lower(coalesce(urls, url, ""))
| eval social_eng_subject=if(
    match(subject_lower, "(job opportunity|career opportunity|employment offer|found your profile|connect with you|exclusive opportunity|remote position|we.?re hiring|job opening|recruiter|talent acquisition|linkedin connection|exciting opportunity|came across your profile|work from home|contractor position|freelance project)"),
    1, 0)
| eval social_media_link=if(
    match(urls_lower, "(linkedin\.com|facebook\.com|twitter\.com|x\.com|instagram\.com|t\.me|telegram\.org|wa\.me|discord\.com|linktr\.ee)"),
    1, 0)
| eval body_social_eng=if(
    match(body_lower, "(job opportunity|career opportunity|employment offer|found your profile|connect with you|exclusive opportunity|remote position|we.?re hiring|recruiter|talent acquisition|i saw your profile|your background|your experience|our team is looking)"),
    1, 0)
| eval risk_score=social_eng_subject + social_media_link + body_social_eng
| where risk_score >= 1
| eval risk_label=case(
    risk_score >= 3, "HIGH",
    risk_score == 2, "MEDIUM",
    risk_score == 1, "LOW"
)
| eval sender_domain=lower(replace(coalesce(sender, from_address, ""), ".*@", ""))
| eval is_external=if(NOT match(sender_domain, "yourcompany\.com"), 1, 0)
| where is_external=1
| table _time, sender, recipient, subject, urls_lower, social_eng_subject, social_media_link, body_social_eng, risk_score, risk_label
| sort - risk_score, - _time
medium severity medium confidence

Detects inbound emails exhibiting social engineering patterns characteristic of T1585.001 persona-based targeting. Covers multiple enterprise email gateway sourcetypes (Cisco ESA, Proofpoint, Mimecast, Symantec, Office 365). Scores emails across three dimensions: social engineering subject line keywords, social media URL presence, and body-level social engineering language. Assigns risk labels (HIGH/MEDIUM/LOW) based on cumulative score. External sender filter reduces noise from internal communications. This matches the downstream contact phase where adversary-controlled social media personas initiate targeting via email.

Data Sources

Application Log: Application Log ContentEmail: Email MessageNetwork Traffic: Network Traffic Content

Required Sourcetypes

cisco:esa:syslogproofpoint:mailmimecast:emailo365:management:activity

False Positives & Tuning

  • Legitimate external recruiters contacting employees via email with social media profile links
  • Business development or partnership outreach containing social media handles
  • Industry conference or webinar invitations with social media event links
  • Vendor onboarding communications referencing LinkedIn company pages
  • Security awareness training campaigns simulating recruitment-themed phishing
Download portable Sigma rule (.yml)

Other platforms for T1585.001

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Inbound Social Engineering Email with LinkedIn URL

    Expected signal: EmailEvents: new record with SenderFromAddress='[email protected]', Subject containing 'job opportunity', Direction='Inbound'. EmailUrlInfo: record linking NetworkMessageId to 'linkedin.com/in/red-team-test-persona'. Microsoft Defender for Office 365 Safe Links may wrap the URL. Email gateway (Proofpoint/Mimecast/Cisco ESA) logs inbound message with external sender and social media URL.

  2. Test 2OSINT: Search for Fake Social Media Profiles Impersonating Company Employees

    Expected signal: Browser history: outbound GET requests to google.com, linkedin.com, twitter.com search URLs from analyst workstation. Proxy logs: requests to search engines and social media platforms from analyst IP. No malicious telemetry expected — this is a defensive OSINT exercise.

  3. Test 3Test Email Display Name Spoofing Detection

    Expected signal: EmailEvents: SenderFromAddress='[email protected]', SenderDisplayName='Jane Doe'. IdentityInfo join will match internal employee 'Jane Doe' with mismatched domain. Microsoft Defender for Office 365 anti-impersonation policy (if configured) will generate a ZapType action. Email gateway logs: From header mismatch between display name and envelope sender domain.

  4. Test 4Validate Social Media Profile Takedown Reporting Workflow

    Expected signal: Outbound HTTP requests from analyst workstation to linkedin.com, twitter.com, facebook.com, telegram.org, web.archive.org. Proxy logs record the connection attempts. No malicious telemetry expected.

Last updated: 2026-04-13 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1585.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1585Establish Accounts

Related Sub-techniques

T1585.002Email AccountsT1585.003Cloud Accounts

Related Techniques

T1585Establish AccountsT1585.002Email AccountsT1586.001Social Media AccountsT1566.003Spearphishing via ServiceT1598.002Spearphishing AttachmentT1591Gather Victim Org InformationT1592Gather Victim Host InformationT1593.001Social MediaT1204.001Malicious LinkT1078.004Cloud Accounts

Same Tactic: Resource Development

Popular Detections