T1586.001

Social Media Accounts

Adversaries may compromise existing social media accounts to conduct operations against target organizations. Rather than creating new personas, adversaries compromise legitimate accounts to leverage existing trust relationships and follower networks. Compromised accounts are used to deliver spearphishing messages via social platforms (T1566.003), conduct OAuth-based initial access attacks, or establish connections with target employees as a precursor to further social engineering. Threat groups including Sandworm Team (credential capture webpages) and Leviathan/APT40 (social engineering campaigns) have leveraged compromised social media accounts in operations. Detection focuses on observable effects when compromised accounts interact with the organization: anomalous OAuth authentication events using social identity providers, suspicious OAuth consent grants that may follow social media phishing, and Microsoft Defender for Cloud Apps anomalies on monitored corporate social accounts.

Microsoft Sentinel / Defender

kusto

// T1586.001 — Social Media Account Compromise
// Detect anomalous sign-ins via social identity providers with composite risk scoring
// A compromised social media account used to access corporate resources via OAuth federation
// generates exactly this pattern: social IdP + elevated risk indicators
let SocialProviders = dynamic(["google", "facebook", "linkedin", "twitter", "github", "slack", "yahoo"]);
let RiskyCountryCodes = dynamic(["CN", "RU", "IR", "KP", "BY", "VE", "CU", "SY"]);
let LookbackPeriod = 24h;
SigninLogs
| where TimeGenerated > ago(LookbackPeriod)
| where IdentityProvider has_any (SocialProviders)
    or (AuthenticationProtocol == "oAuth2" and AppDisplayName has_any (SocialProviders))
| extend CountryCode = tostring(LocationDetails.countryOrRegion)
| extend IsCompliant = tostring(DeviceDetail.isCompliant)
| extend TrustType = tostring(DeviceDetail.trustType)
| extend BrowserUA = tostring(DeviceDetail.browser)
| extend RiskScore = 0
| extend RiskScore = RiskScore + iif(RiskLevelAggregated in ("high", "medium"), 3, 0)
| extend RiskScore = RiskScore + iif(CountryCode in (RiskyCountryCodes), 2, 0)
| extend RiskScore = RiskScore + iif(IsCompliant != "true", 1, 0)
| extend RiskScore = RiskScore + iif(TrustType == "", 1, 0)
| extend RiskScore = RiskScore + iif(RiskEventTypes has_any ("anonymizedIPAddress", "unfamiliarFeatures", "maliciousIPAddress", "impossibleTravel", "leakedCredentials"), 3, 0)
| extend RiskScore = RiskScore + iif(IsInteractive == false, 1, 0)
| extend RiskScore = RiskScore + iif(ResultType != 0, 1, 0)
| where RiskScore >= 2
| project TimeGenerated, UserPrincipalName, IPAddress, CountryCode,
         IdentityProvider, AppDisplayName, AuthenticationProtocol,
         RiskLevelAggregated, RiskEventTypes, RiskScore,
         IsCompliant, TrustType, BrowserUA, CorrelationId, ResultType, ResultDescription
| sort by RiskScore desc, TimeGenerated desc

medium severity low confidence

Data Sources

Azure AD: Sign-in Logs Identity: Authentication Microsoft Entra ID / Azure Active Directory

Required Tables

SigninLogs

False Positives

Employees traveling internationally who use social identity provider SSO to access corporate applications, generating legitimate sign-ins from foreign country codes
Developers using GitHub or Google OAuth to access internal developer tools and cloud services from personal non-compliant devices outside MDM enrollment
Service accounts or CI/CD pipelines using OAuth federation with social identity providers for non-interactive automation (GitHub Actions, Google Cloud service accounts)
Employees using corporate VPN with split tunneling that causes their exit IP to appear in a high-risk country classification despite being physically in a legitimate location
New employees authenticating via social identity providers before their corporate device completes MDM enrollment and appears compliant in Azure AD

Splunk

spl

index=o365 sourcetype="ms:o365:management"
    (Operation="Consent to application" OR Operation="Add OAuth2PermissionGrant"
     OR Operation="Add service principal" OR Operation="Add delegation entry"
     OR Operation="Add app role assignment to service principal")
| rex field=_raw "\"Scope\":\"(?<GrantedScopes>[^\"]+)\""
| rex field=_raw "\"ApplicationName\":\"(?<AppName>[^\"]+)\""
| rex field=_raw "\"ConsentType\":\"(?<ConsentType>[^\"]+)\""
| rex field=_raw "\"ApplicationId\":\"(?<ApplicationId>[^\"]+)\""
| eval UserId=coalesce(UserId, ObjectId, "unknown")
| eval HighPrivScopes=if(
    match(GrantedScopes, "(Mail\.ReadWrite|Mail\.Read(?!\.Basic)|Contacts\.ReadWrite|Files\.ReadWrite\.All|Directory\.ReadWrite|RoleManagement\.ReadWrite|offline_access|User\.Read\.All|MailboxSettings\.ReadWrite|EWS\.AccessAsUser\.All)"),
    1, 0)
| eval AdminConsent=if(ConsentType="AllPrincipals", 1, 0)
| eval RiskScore=0
| eval RiskScore=RiskScore + if(HighPrivScopes=1, 2, 0)
| eval RiskScore=RiskScore + if(AdminConsent=1, 3, 0)
| eval RiskScore=RiskScore + if(AdminConsent=1 AND HighPrivScopes=1, 2, 0)
| where RiskScore > 0
| table _time, UserId, Operation, AppName, ApplicationId, ConsentType, GrantedScopes, HighPrivScopes, AdminConsent, RiskScore, ClientIP
| sort - RiskScore - _time

high severity low confidence

Data Sources

Microsoft 365: Unified Audit Log Identity: OAuth Consent Grants Azure AD: Application Activity

Required Sourcetypes

ms:o365:management

False Positives

IT administrators legitimately granting tenant-wide OAuth permissions to approved enterprise applications during onboarding or integration projects
Developers registering new applications and granting initial permissions to sandbox, development, or staging tenants
End users consenting to legitimate productivity and SaaS applications that are integrated with Microsoft 365 through sanctioned vendor onboarding processes
Automated provisioning systems (Entra ID Governance, lifecycle workflows) that use service principal OAuth grants for cross-tenant resource access

Elastic Security (EQL)

eql

sequence by user.name with maxspan=4h
  [authentication where event.dataset == "azure.signinlogs" and
   event.outcome == "success" and
   (
     tolower(azure.signinlogs.properties.identity_provider) in~ ("google", "facebook", "linkedin", "twitter", "github", "slack", "yahoo") or
     tolower(azure.signinlogs.properties.app_display_name) in~ ("google", "facebook", "linkedin", "twitter", "github", "slack", "yahoo")
   ) and
   (
     source.geo.country_iso_code in ("CN", "RU", "IR", "KP", "BY", "VE", "CU", "SY") or
     azure.signinlogs.properties.risk_level_aggregated in ("high", "medium") or
     azure.signinlogs.properties.device_detail.is_compliant != "true" or
     azure.signinlogs.properties.risk_event_types_v2 like~ "*anonymizedIPAddress*" or
     azure.signinlogs.properties.risk_event_types_v2 like~ "*impossibleTravel*" or
     azure.signinlogs.properties.risk_event_types_v2 like~ "*maliciousIPAddress*"
   )]
  [iam where event.dataset == "o365.audit" and
   event.action in~ ("Consent to application", "Add OAuth2PermissionGrant", "Add service principal", "Add delegation entry", "Add app role assignment to service principal") and
   (
     o365.audit.modified_properties.new_value like~ "*Mail.ReadWrite*" or
     o365.audit.modified_properties.new_value like~ "*Files.ReadWrite.All*" or
     o365.audit.modified_properties.new_value like~ "*Directory.ReadWrite*" or
     o365.audit.modified_properties.new_value like~ "*RoleManagement.ReadWrite*" or
     o365.audit.modified_properties.new_value like~ "*User.Read.All*" or
     o365.audit.modified_properties.new_value like~ "*EWS.AccessAsUser.All*" or
     o365.audit.modified_properties.new_value like~ "*AllPrincipals*"
   )]

high severity medium confidence

Data Sources

Azure AD Sign-in Logs via Elastic Azure integration (logs-azure.signinlogs-*) Microsoft 365 Unified Audit Logs via Elastic O365 integration (logs-o365.audit-*)

Required Tables

logs-azure.signinlogs-* logs-o365.audit-*

False Positives

Employees who legitimately use Google Workspace or LinkedIn SSO for corporate applications and subsequently approve standard productivity integrations (e.g., Zoom, Salesforce) from travel locations that map to high-risk country codes
IT administrators in non-compliant device states (e.g., during device enrollment) who perform authorized admin consent grants for newly approved enterprise applications as part of change management workflows
Automated provisioning pipelines that use social federated identity tokens during onboarding and perform delegated consent grants for approved SaaS tools as part of normal new-hire setup

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  username AS user_id,
  sourceip AS source_ip,
  QIDNAME(qid) AS event_name,
  LOGSOURCETYPENAME(logsourcetypeid) AS log_source_type,
  "Application Name" AS app_name,
  "Application Id" AS application_id,
  "Granted Scopes" AS granted_scopes,
  "Consent Type" AS consent_type,
  CASE
    WHEN "Consent Type" = 'AllPrincipals' THEN 3
    ELSE 0
  END +
  CASE
    WHEN ("Granted Scopes" ILIKE '%Mail.ReadWrite%'
       OR "Granted Scopes" ILIKE '%Files.ReadWrite.All%'
       OR "Granted Scopes" ILIKE '%Directory.ReadWrite%'
       OR "Granted Scopes" ILIKE '%RoleManagement.ReadWrite%'
       OR "Granted Scopes" ILIKE '%User.Read.All%'
       OR "Granted Scopes" ILIKE '%EWS.AccessAsUser.All%'
       OR "Granted Scopes" ILIKE '%MailboxSettings.ReadWrite%')
    THEN 2
    ELSE 0
  END +
  CASE
    WHEN ("Consent Type" = 'AllPrincipals' AND (
       "Granted Scopes" ILIKE '%Mail.ReadWrite%'
    OR "Granted Scopes" ILIKE '%Files.ReadWrite.All%'
    OR "Granted Scopes" ILIKE '%Directory.ReadWrite%'
    OR "Granted Scopes" ILIKE '%RoleManagement.ReadWrite%'))
    THEN 2
    ELSE 0
  END AS risk_score
FROM events
WHERE LOGSOURCETYPEID IN (397, 504, 505)
  AND (
    QIDNAME(qid) ILIKE '%consent%'
    OR QIDNAME(qid) ILIKE '%OAuth%'
    OR QIDNAME(qid) ILIKE '%delegation%'
    OR QIDNAME(qid) ILIKE '%service principal%'
  )
  AND (
    "Granted Scopes" ILIKE '%Mail.ReadWrite%'
    OR "Granted Scopes" ILIKE '%Files.ReadWrite.All%'
    OR "Granted Scopes" ILIKE '%Directory.ReadWrite%'
    OR "Granted Scopes" ILIKE '%RoleManagement.ReadWrite%'
    OR "Granted Scopes" ILIKE '%User.Read.All%'
    OR "Granted Scopes" ILIKE '%EWS.AccessAsUser.All%'
    OR "Granted Scopes" ILIKE '%MailboxSettings.ReadWrite%'
    OR "Consent Type" = 'AllPrincipals'
  )
HAVING risk_score > 0
ORDER BY risk_score DESC, devicetime DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

Microsoft Office 365 log source (LOGSOURCETYPEID 397) Microsoft Azure Active Directory log source (LOGSOURCETYPEID 504, 505)

Required Tables

events

False Positives

IT departments performing authorized admin consent grants for approved enterprise SaaS applications during scheduled change windows — these will score high if they involve Mail or File scopes
DevOps automation service principals provisioned with broad Graph API permissions (e.g., User.Read.All for directory sync) during legitimate infrastructure deployments
Merger and acquisition workflows where external tenant applications are granted delegated access to mailboxes or SharePoint for data migration using EWS or Files.ReadWrite.All

Sumo Logic CSE

sql

(_sourceCategory=*azure* OR _sourceCategory=*o365* OR _sourceCategory=*microsoft* OR _sourceCategory=*aad*)
| json "Operation", "UserId", "ClientIP", "ApplicationId" nodrop
| json "ModifiedProperties" as ModProps nodrop
| json "ExtendedProperties" as ExtProps nodrop
| where Operation in ("Consent to application", "Add OAuth2PermissionGrant", "Add service principal",
                       "Add delegation entry", "Add app role assignment to service principal")
     OR (Operation in ("UserLoggedIn", "Sign-in") AND
         (%"AppName" matches /(?i)(google|facebook|linkedin|twitter|github|slack|yahoo)/
          OR %"AuthMethod" matches /(?i)(oauth|federation|social)/))
| parse regex field=ModProps "(?i)\"NewValue\":\"(?<GrantedScopes>[^\"]*(?:Mail\.ReadWrite|Files\.ReadWrite\.All|Directory\.ReadWrite|RoleManagement\.ReadWrite|User\.Read\.All|EWS\.AccessAsUser\.All|MailboxSettings\.ReadWrite)[^\"]*)\""
| parse regex field=ModProps "(?i)\"ConsentType\":\"(?<ConsentType>[^\"]+)\"" nodrop
| parse regex field=ModProps "(?i)\"ApplicationName\":\"(?<AppName>[^\"]+)\"" nodrop
| parse regex field=ExtProps "(?i)\"RequestType\":\"(?<RequestType>[^\"]+)\"" nodrop
| eval HighPrivScopes = if (!isNull(GrantedScopes) AND GrantedScopes != "", 1, 0)
| eval AdminConsent = if (ConsentType = "AllPrincipals", 1, 0)
| eval SocialIdP = if (AppName matches /(?i)(google|facebook|linkedin|twitter|github|slack|yahoo)/, 1, 0)
| eval RiskScore = (HighPrivScopes * 2) + (AdminConsent * 3) + (if(AdminConsent = 1 AND HighPrivScopes = 1, 2, 0)) + (SocialIdP * 1)
| where RiskScore > 0
| fields _messageTime, UserId, Operation, AppName, ApplicationId, ConsentType, GrantedScopes, HighPrivScopes, AdminConsent, SocialIdP, RiskScore, ClientIP
| sort by RiskScore desc, _messageTime desc

high severity medium confidence

Data Sources

Microsoft 365 Unified Audit Logs Azure Active Directory Sign-in and Audit Logs

Required Tables

_sourceCategory matching *azure*, *o365*, *microsoft*, or *aad* partitions

False Positives

Help desk or IT staff performing legitimate tenant-wide admin consent for approved third-party SaaS applications (e.g., DocuSign, Workday) that require Mail or File scopes — these will produce RiskScore 5+ and require suppression by known application IDs
Security awareness platforms or phishing simulation tools that use Google or LinkedIn OAuth for participant tracking, generating both social IdP sign-ins and potentially high-scope consent events
Partner tenant application provisioning during B2B collaboration setup where external organizations grant service principals access to shared SharePoint or mailbox data

Google Chronicle / SecOps

yaral

rule social_media_account_compromise_t1586_001 {
  meta:
    author = "Detection Engineering"
    description = "Detects T1586.001: successful social identity provider OAuth authentication followed within 4 hours by a high-privilege scope consent grant from the same user. Models the post-compromise OAuth phishing chain used by Leviathan/APT40 and Sandworm: compromise social account, use it to phish OAuth consent, gain persistent delegated access to corporate resources."
    mitre_attack_tactic = "Resource Development"
    mitre_attack_technique = "T1586.001"
    severity = "HIGH"
    confidence = "MEDIUM"
    created = "2024-01-01"
    platforms = "Azure AD, Microsoft 365"
    references = "https://attack.mitre.org/techniques/T1586/001/"

  events:
    // Stage 1: Successful social identity provider sign-in with risk indicator
    $signin.metadata.event_type = "USER_LOGIN"
    $signin.metadata.vendor_name = "Microsoft"
    $signin.security_result.severity != "INFORMATIONAL"
    (
      re.regex($signin.network.application_protocol_version, `(?i)(google|facebook|linkedin|twitter|github|slack|yahoo)`) or
      re.regex($signin.target.application.name, `(?i)(google|facebook|linkedin|twitter|github|slack|yahoo)`) or
      re.regex($signin.extensions.auth.auth_details, `(?i)identityprovider.*(google|facebook|linkedin|twitter|github|slack|yahoo)`)
    )
    (
      $signin.principal.ip_geo_artifact.location.country_or_region = "CN" or
      $signin.principal.ip_geo_artifact.location.country_or_region = "RU" or
      $signin.principal.ip_geo_artifact.location.country_or_region = "IR" or
      $signin.principal.ip_geo_artifact.location.country_or_region = "KP" or
      $signin.principal.ip_geo_artifact.location.country_or_region = "BY" or
      $signin.security_result.risk_score > 50 or
      re.regex($signin.security_result.threat_name, `(?i)(anonymizedIP|impossibleTravel|maliciousIP|leakedCredentials|unfamiliarFeatures)`)
    )
    $signin.principal.user.email_addresses[0] = $user_email

    // Stage 2: High-privilege OAuth consent grant within 4 hours of sign-in
    $consent.metadata.event_type = "USER_RESOURCE_ACCESS"
    $consent.metadata.vendor_name = "Microsoft"
    (
      $consent.metadata.product_event_type = "Consent to application" or
      $consent.metadata.product_event_type = "Add OAuth2PermissionGrant" or
      $consent.metadata.product_event_type = "Add service principal" or
      $consent.metadata.product_event_type = "Add delegation entry"
    )
    (
      re.regex($consent.target.resource.attribute.labels.value, `(?i)(Mail\.ReadWrite|Files\.ReadWrite\.All|Directory\.ReadWrite|RoleManagement\.ReadWrite\.All|User\.Read\.All|EWS\.AccessAsUser\.All|MailboxSettings\.ReadWrite)`) or
      $consent.target.resource.attribute.labels["consent_type"] = "AllPrincipals"
    )
    $consent.principal.user.email_addresses[0] = $user_email

    // Temporal: consent follows sign-in within 4-hour window
    $signin.metadata.event_timestamp.seconds <= $consent.metadata.event_timestamp.seconds
    $consent.metadata.event_timestamp.seconds <= $signin.metadata.event_timestamp.seconds + 14400

  condition:
    $signin and $consent
}

high severity medium confidence

Data Sources

Google Chronicle UDM — Microsoft Azure AD authentication events (USER_LOGIN) Google Chronicle UDM — Microsoft 365 Unified Audit events (USER_RESOURCE_ACCESS)

Required Tables

UDM event types: USER_LOGIN, USER_RESOURCE_ACCESS

False Positives

Employees using LinkedIn Learning or Google Workspace SSO for corporate access who subsequently approve Teams or SharePoint integrations, particularly when traveling internationally for legitimate business
IT administrators federating new identity providers as part of an approved SSO migration project — the new IdP configuration test may generate both social sign-in events and broad consent grants
New employee onboarding in organizations using social identity for initial account bootstrap, where the IT helpdesk performs admin consent on behalf of new users for approved productivity suites

CrowdStrike LogScale (CQL)

cql

// CrowdStrike Falcon Identity Protection + Falcon Horizon (Azure AD/O365 integration)
// Detects T1586.001: social IdP OAuth sign-ins and high-privilege consent grants with composite risk scoring
// Requires: Falcon Identity Protection license OR Falcon Horizon with Azure AD data ingestion

#event_simpleName = /^(UserActivityAuditEvent|IdpAuthAuditEvent|OAuthConsentGrant|AzureADSignIn|CloudIdentityEvent)$/

// Normalize identity provider and application name fields
| idpNorm := lower(coalesce(IdentityProviderType, ExternalIdpType, FederatedIdentityProvider, ""))
| appNorm := lower(coalesce(ApplicationDisplayName, ClientAppName, ServicePrincipalName, ""))
| scopeField := coalesce(GrantedScopes, OAuthScopes, DelegatedScopes, "")
| consentTypeField := coalesce(ConsentType, OAuthConsentType, "")

// Filter to events relevant to social IdP auth or OAuth consent operations
| test{
    match(idpNorm, /google|facebook|linkedin|twitter|github|slack|yahoo/) or
    match(appNorm, /google|facebook|linkedin|twitter|github|slack|yahoo/) or
    match(EventType, /(?i)(consent|oauth2permission|delegation|service.principal)/) or
    match(Operation, /(?i)(consent|oauth|delegation|serviceprincipal)/)
  }

// Composite risk scoring — mirrors KQL and SPL logic
| riskScore := 0
| riskScore := riskScore + if(match(RiskLevelAggregated, /(?i)(high|medium)/), 3, 0)
| riskScore := riskScore + if(match(CountryCode, /^(CN|RU|IR|KP|BY|VE|CU|SY)$/), 2, 0)
| riskScore := riskScore + if(DeviceCompliant != "true", 1, 0)
| riskScore := riskScore + if(TrustType = "", 1, 0)
| riskScore := riskScore + if(IsInteractiveLogin = "false", 1, 0)
| riskScore := riskScore + if(match(RiskEventTypes, /(?i)(anonymizedIPAddress|impossibleTravel|maliciousIPAddress|leakedCredentials|unfamiliarFeatures)/), 3, 0)
| riskScore := riskScore + if(match(scopeField, /Mail\.ReadWrite|Files\.ReadWrite\.All|Directory\.ReadWrite|RoleManagement\.ReadWrite|User\.Read\.All|EWS\.AccessAsUser\.All|MailboxSettings\.ReadWrite/), 2, 0)
| riskScore := riskScore + if(consentTypeField = "AllPrincipals", 3, 0)
| riskScore := riskScore + if(consentTypeField = "AllPrincipals" AND match(scopeField, /Mail\.ReadWrite|Files\.ReadWrite\.All|Directory\.ReadWrite|RoleManagement\.ReadWrite/), 2, 0)

| where riskScore >= 2

| groupBy(
    [UserPrincipalName, idpNorm, appNorm, SourceIPAddress, CountryCode,
     RiskLevelAggregated, consentTypeField, scopeField, Operation],
    function=[
      count(as=EventCount),
      max(riskScore, as=MaxRiskScore),
      min(@timestamp, as=FirstSeen),
      max(@timestamp, as=LastSeen)
    ]
  )
| sort MaxRiskScore desc

high severity low confidence

Data Sources

CrowdStrike Falcon Identity Protection (IdpAuthAuditEvent, UserActivityAuditEvent) CrowdStrike Falcon Horizon with Azure AD integration (AzureADSignIn, OAuthConsentGrant) CrowdStrike Falcon SIEM Connector forwarding Azure AD / O365 logs into LogScale

Required Tables

Falcon event stream: UserActivityAuditEvent, IdpAuthAuditEvent, OAuthConsentGrant, AzureADSignIn, CloudIdentityEvent

False Positives

Authorized remote workers or executives traveling to high-risk geographic regions for legitimate business who use Google or LinkedIn SSO for corporate application access
Automated service accounts and CI/CD pipelines performing non-interactive OAuth authentication with broad delegated scopes for approved integrations — these consistently appear as IsInteractiveLogin=false with potentially high-privilege scopes
Security red team or penetration testing engagements that simulate OAuth phishing against test accounts configured with social IdP federation — coordinate with the red team calendar before tuning suppression

Last updated: 2026-04-13 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1586.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Social Media Accounts

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Resource Development

Popular Detections