T1586.001 Elastic Security · Elastic

Detect Social Media Accounts in Elastic Security

Adversaries may compromise existing social media accounts to conduct operations against target organizations. Rather than creating new personas, adversaries compromise legitimate accounts to leverage existing trust relationships and follower networks. Compromised accounts are used to deliver spearphishing messages via social platforms (T1566.003), conduct OAuth-based initial access attacks, or establish connections with target employees as a precursor to further social engineering. Threat groups including Sandworm Team (credential capture webpages) and Leviathan/APT40 (social engineering campaigns) have leveraged compromised social media accounts in operations. Detection focuses on observable effects when compromised accounts interact with the organization: anomalous OAuth authentication events using social identity providers, suspicious OAuth consent grants that may follow social media phishing, and Microsoft Defender for Cloud Apps anomalies on monitored corporate social accounts.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1586 Compromise Accounts
Sub-technique
T1586.001 Social Media Accounts
Canonical reference
https://attack.mitre.org/techniques/T1586/001/

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by user.name with maxspan=4h
  [authentication where event.dataset == "azure.signinlogs" and
   event.outcome == "success" and
   (
     tolower(azure.signinlogs.properties.identity_provider) in~ ("google", "facebook", "linkedin", "twitter", "github", "slack", "yahoo") or
     tolower(azure.signinlogs.properties.app_display_name) in~ ("google", "facebook", "linkedin", "twitter", "github", "slack", "yahoo")
   ) and
   (
     source.geo.country_iso_code in ("CN", "RU", "IR", "KP", "BY", "VE", "CU", "SY") or
     azure.signinlogs.properties.risk_level_aggregated in ("high", "medium") or
     azure.signinlogs.properties.device_detail.is_compliant != "true" or
     azure.signinlogs.properties.risk_event_types_v2 like~ "*anonymizedIPAddress*" or
     azure.signinlogs.properties.risk_event_types_v2 like~ "*impossibleTravel*" or
     azure.signinlogs.properties.risk_event_types_v2 like~ "*maliciousIPAddress*"
   )]
  [iam where event.dataset == "o365.audit" and
   event.action in~ ("Consent to application", "Add OAuth2PermissionGrant", "Add service principal", "Add delegation entry", "Add app role assignment to service principal") and
   (
     o365.audit.modified_properties.new_value like~ "*Mail.ReadWrite*" or
     o365.audit.modified_properties.new_value like~ "*Files.ReadWrite.All*" or
     o365.audit.modified_properties.new_value like~ "*Directory.ReadWrite*" or
     o365.audit.modified_properties.new_value like~ "*RoleManagement.ReadWrite*" or
     o365.audit.modified_properties.new_value like~ "*User.Read.All*" or
     o365.audit.modified_properties.new_value like~ "*EWS.AccessAsUser.All*" or
     o365.audit.modified_properties.new_value like~ "*AllPrincipals*"
   )]
high severity medium confidence

Detects T1586.001 via a two-stage sequence: (1) successful social identity provider OAuth authentication with elevated risk indicators (risky geolocations, anomalous risk events, non-compliant device), followed within 4 hours by (2) a high-privilege OAuth scope consent grant from the same user principal. The sequence requirement significantly reduces false positives by correlating both stages of the post-compromise OAuth phishing chain.

Data Sources

Azure AD Sign-in Logs via Elastic Azure integration (logs-azure.signinlogs-*)Microsoft 365 Unified Audit Logs via Elastic O365 integration (logs-o365.audit-*)

Required Tables

logs-azure.signinlogs-*logs-o365.audit-*

False Positives & Tuning

  • Employees who legitimately use Google Workspace or LinkedIn SSO for corporate applications and subsequently approve standard productivity integrations (e.g., Zoom, Salesforce) from travel locations that map to high-risk country codes
  • IT administrators in non-compliant device states (e.g., during device enrollment) who perform authorized admin consent grants for newly approved enterprise applications as part of change management workflows
  • Automated provisioning pipelines that use social federated identity tokens during onboarding and perform delegated consent grants for approved SaaS tools as part of normal new-hire setup
Download portable Sigma rule (.yml)

Other platforms for T1586.001

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate OAuth Consent Grant Following Social Media Phishing Link

    Expected signal: Azure AD AuditLogs: OperationName='Add application' showing new app registration with AppName matching df00tech-oauth-test-*. If test user navigates to URL and consents: SigninLogs entry for test user with AppDisplayName matching test app, followed by AuditLogs OperationName='Consent to application' with Scope='Mail.Read Contacts.Read offline_access'. Microsoft Defender for Cloud Apps will generate an OAuth app governance alert if MCAS is configured with tenant OAuth monitoring.

  2. Test 2Test Anomalous Social Identity Provider Sign-in Detection

    Expected signal: Azure AD SigninLogs: entry with IdentityProvider='github' (or Microsoft external identity), UserAgent containing 'Googlebot', DeviceDetail.browser='Other' or unknown classification, DeviceDetail.isCompliant='false' (non-MDM device). Azure AD risk engine may flag as 'unfamiliarFeatures' risk detection, incrementing RiskLevelAggregated. The sign-in will result in a redirect (not a full authentication) but is still captured in logs.

  3. Test 3Credential Stuffing Simulation Against Social Identity Federated Account

    Expected signal: Azure AD SigninLogs: 5 entries with ResultType=50126 (AADSTS50126: Invalid username or password) or 50053 (AADSTS50053: account locked) for TEST_USER within a 20-second window. IPAddress and UserAgent fields match curl defaults. Azure AD Identity Protection may generate 'Password spray' or 'Leaked credentials' risk detection. This simulates the upstream account compromise that precedes T1586.001 use against a victim organization.

  4. Test 4Corporate Social Media Account Exposure Enumeration (Authorized OSINT)

    Expected signal: DNS queries to linkedin.com, github.com from the network running this script — visible in proxy and DNS logs. No authentication events generated against the target organization's Azure AD. GitHub API calls logged in GitHub audit log if an org membership query is made.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1586.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1586Compromise Accounts

Related Sub-techniques

T1586.002Email AccountsT1586.003Cloud Accounts

Related Techniques

T1586Compromise AccountsT1585.001Social Media AccountsT1566.003Spearphishing via ServiceT1598.003Spearphishing LinkT1539Steal Web Session CookieT1111Multi-Factor Authentication InterceptionT1550.001Application Access TokenT1078.004Cloud AccountsT1110.003Password Spraying

Same Tactic: Resource Development

Popular Detections