Detect Social Media Accounts in Sumo Logic CSE
Adversaries create and cultivate fake or impersonation social media accounts to build credible personas for use in targeting operations. These accounts may impersonate real employees, HR staff, recruiters, or industry contacts to establish trust before launching spearphishing, credential harvesting, or intelligence-gathering campaigns. Detection focuses on downstream observables: inbound social engineering emails referencing social media profiles, employees receiving suspicious connection or recruitment messages, and threat intelligence correlation identifying accounts impersonating your organization's staff. Real-world examples include HEXANE creating fake LinkedIn HR accounts offering jobs, CURIUM building networks of fictitious profiles posing as attractive contacts, Scattered Spider creating matching fake social media accounts to support identity theft, and EXOTIC LILY mimicking target company employees to gain trust before delivering malware.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1585 Establish Accounts
- Sub-technique
- T1585.001 Social Media Accounts
- Canonical reference
- https://attack.mitre.org/techniques/T1585/001/
Sumo Detection Query
_sourceCategory=email/* OR _sourceCategory=mail/*
| where !(isNull(_raw))
// Normalize fields
| parse field=_raw "\"subject\":\"*\"" as subject nodrop
| parse field=_raw "\"from\":\"*\"" as sender nodrop
| parse field=_raw "\"to\":\"*\"" as recipient nodrop
| parse field=_raw "\"urls\":\"*\"" as urls nodrop
// Lowercase for matching
| toLowerCase(subject) as subject_lower
| toLowerCase(urls) as urls_lower
| toLowerCase(sender) as sender_lower
// Social engineering keyword detection in subject
| if(subject_lower matches "*(job opportunity|career opportunity|employment offer|found your profile|connect with you|exclusive opportunity|remote position|we are hiring|we're hiring|job opening|open role|recruiter|talent acquisition|linkedin connection|exciting opportunity|came across your profile|work from home|contractor position|freelance project)*", 1, 0) as social_eng_subject
// Social media URL detection
| if(urls_lower matches "*(linkedin.com|facebook.com|twitter.com|x.com|instagram.com|telegram.org|t.me|wa.me|discord.com|discord.gg|linktr.ee)*", 1, 0) as social_media_link
// External sender check
| if(!(sender_lower matches "*yourcompany.com*"), 1, 0) as is_external
// Risk scoring
| toInt(social_eng_subject) + toInt(social_media_link) as risk_score
| where risk_score >= 1 and is_external == 1
| if(risk_score >= 2, "HIGH", if(risk_score == 1, "MEDIUM", "LOW")) as risk_label
| fields _messageTime, sender, recipient, subject, urls_lower, social_eng_subject, social_media_link, risk_score, risk_label
| sort by risk_score desc, _messageTime descSumo Logic query detecting inbound social engineering emails containing social media profile links indicative of T1585.001 fake persona operations. Applies risk scoring based on keyword presence in subject line and URL body. Filters to external senders only.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate job boards or recruiting platforms sending outreach emails
- Internal talent acquisition teams using external email services
- Marketing emails from industry groups referencing social media channels
- Automated HR system notifications containing LinkedIn integration links
Other platforms for T1585.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Inbound Social Engineering Email with LinkedIn URL
Expected signal: EmailEvents: new record with SenderFromAddress='[email protected]', Subject containing 'job opportunity', Direction='Inbound'. EmailUrlInfo: record linking NetworkMessageId to 'linkedin.com/in/red-team-test-persona'. Microsoft Defender for Office 365 Safe Links may wrap the URL. Email gateway (Proofpoint/Mimecast/Cisco ESA) logs inbound message with external sender and social media URL.
- Test 2OSINT: Search for Fake Social Media Profiles Impersonating Company Employees
Expected signal: Browser history: outbound GET requests to google.com, linkedin.com, twitter.com search URLs from analyst workstation. Proxy logs: requests to search engines and social media platforms from analyst IP. No malicious telemetry expected — this is a defensive OSINT exercise.
- Test 3Test Email Display Name Spoofing Detection
Expected signal: EmailEvents: SenderFromAddress='[email protected]', SenderDisplayName='Jane Doe'. IdentityInfo join will match internal employee 'Jane Doe' with mismatched domain. Microsoft Defender for Office 365 anti-impersonation policy (if configured) will generate a ZapType action. Email gateway logs: From header mismatch between display name and envelope sender domain.
- Test 4Validate Social Media Profile Takedown Reporting Workflow
Expected signal: Outbound HTTP requests from analyst workstation to linkedin.com, twitter.com, facebook.com, telegram.org, web.archive.org. Proxy logs record the connection attempts. No malicious telemetry expected.
References (9)
- https://attack.mitre.org/techniques/T1585/001/
- https://www.securityweek.com/iranian-hackers-targeted-us-officials-elaborate-social-media-attack-operation
- http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf
- https://blog.google/threat-analysis-group/exotic-lily-initial-access-broker/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
- https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity/
- https://unit42.paloaltonetworks.com/medusa-ransomware/
- https://www.clearskysec.com/siamesekitten/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1585.001/T1585.001.md
Unlock Pro Content
Get the full detection package for T1585.001 including response playbook, investigation guide, and atomic red team tests.