T1586.001 IBM QRadar · QRadar

Detect Social Media Accounts in IBM QRadar

Adversaries may compromise existing social media accounts to conduct operations against target organizations. Rather than creating new personas, adversaries compromise legitimate accounts to leverage existing trust relationships and follower networks. Compromised accounts are used to deliver spearphishing messages via social platforms (T1566.003), conduct OAuth-based initial access attacks, or establish connections with target employees as a precursor to further social engineering. Threat groups including Sandworm Team (credential capture webpages) and Leviathan/APT40 (social engineering campaigns) have leveraged compromised social media accounts in operations. Detection focuses on observable effects when compromised accounts interact with the organization: anomalous OAuth authentication events using social identity providers, suspicious OAuth consent grants that may follow social media phishing, and Microsoft Defender for Cloud Apps anomalies on monitored corporate social accounts.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1586 Compromise Accounts
Sub-technique
T1586.001 Social Media Accounts
Canonical reference
https://attack.mitre.org/techniques/T1586/001/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  username AS user_id,
  sourceip AS source_ip,
  QIDNAME(qid) AS event_name,
  LOGSOURCETYPENAME(logsourcetypeid) AS log_source_type,
  "Application Name" AS app_name,
  "Application Id" AS application_id,
  "Granted Scopes" AS granted_scopes,
  "Consent Type" AS consent_type,
  CASE
    WHEN "Consent Type" = 'AllPrincipals' THEN 3
    ELSE 0
  END +
  CASE
    WHEN ("Granted Scopes" ILIKE '%Mail.ReadWrite%'
       OR "Granted Scopes" ILIKE '%Files.ReadWrite.All%'
       OR "Granted Scopes" ILIKE '%Directory.ReadWrite%'
       OR "Granted Scopes" ILIKE '%RoleManagement.ReadWrite%'
       OR "Granted Scopes" ILIKE '%User.Read.All%'
       OR "Granted Scopes" ILIKE '%EWS.AccessAsUser.All%'
       OR "Granted Scopes" ILIKE '%MailboxSettings.ReadWrite%')
    THEN 2
    ELSE 0
  END +
  CASE
    WHEN ("Consent Type" = 'AllPrincipals' AND (
       "Granted Scopes" ILIKE '%Mail.ReadWrite%'
    OR "Granted Scopes" ILIKE '%Files.ReadWrite.All%'
    OR "Granted Scopes" ILIKE '%Directory.ReadWrite%'
    OR "Granted Scopes" ILIKE '%RoleManagement.ReadWrite%'))
    THEN 2
    ELSE 0
  END AS risk_score
FROM events
WHERE LOGSOURCETYPEID IN (397, 504, 505)
  AND (
    QIDNAME(qid) ILIKE '%consent%'
    OR QIDNAME(qid) ILIKE '%OAuth%'
    OR QIDNAME(qid) ILIKE '%delegation%'
    OR QIDNAME(qid) ILIKE '%service principal%'
  )
  AND (
    "Granted Scopes" ILIKE '%Mail.ReadWrite%'
    OR "Granted Scopes" ILIKE '%Files.ReadWrite.All%'
    OR "Granted Scopes" ILIKE '%Directory.ReadWrite%'
    OR "Granted Scopes" ILIKE '%RoleManagement.ReadWrite%'
    OR "Granted Scopes" ILIKE '%User.Read.All%'
    OR "Granted Scopes" ILIKE '%EWS.AccessAsUser.All%'
    OR "Granted Scopes" ILIKE '%MailboxSettings.ReadWrite%'
    OR "Consent Type" = 'AllPrincipals'
  )
HAVING risk_score > 0
ORDER BY risk_score DESC, devicetime DESC
LAST 24 HOURS
high severity medium confidence

Detects suspicious OAuth consent grants in Microsoft 365 and Azure AD environments ingested into QRadar. Applies composite risk scoring based on high-privilege OAuth scope patterns (Mail.ReadWrite, Files.ReadWrite.All, Directory.ReadWrite, RoleManagement.ReadWrite) and tenant-wide admin consent (AllPrincipals), which are key indicators of OAuth phishing operations following social media account compromise. Targets Office 365 (LOGSOURCETYPEID 397) and Azure AD (504/505) log source types.

Data Sources

Microsoft Office 365 log source (LOGSOURCETYPEID 397)Microsoft Azure Active Directory log source (LOGSOURCETYPEID 504, 505)

Required Tables

events

False Positives & Tuning

  • IT departments performing authorized admin consent grants for approved enterprise SaaS applications during scheduled change windows — these will score high if they involve Mail or File scopes
  • DevOps automation service principals provisioned with broad Graph API permissions (e.g., User.Read.All for directory sync) during legitimate infrastructure deployments
  • Merger and acquisition workflows where external tenant applications are granted delegated access to mailboxes or SharePoint for data migration using EWS or Files.ReadWrite.All
Download portable Sigma rule (.yml)

Other platforms for T1586.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate OAuth Consent Grant Following Social Media Phishing Link

    Expected signal: Azure AD AuditLogs: OperationName='Add application' showing new app registration with AppName matching df00tech-oauth-test-*. If test user navigates to URL and consents: SigninLogs entry for test user with AppDisplayName matching test app, followed by AuditLogs OperationName='Consent to application' with Scope='Mail.Read Contacts.Read offline_access'. Microsoft Defender for Cloud Apps will generate an OAuth app governance alert if MCAS is configured with tenant OAuth monitoring.

  2. Test 2Test Anomalous Social Identity Provider Sign-in Detection

    Expected signal: Azure AD SigninLogs: entry with IdentityProvider='github' (or Microsoft external identity), UserAgent containing 'Googlebot', DeviceDetail.browser='Other' or unknown classification, DeviceDetail.isCompliant='false' (non-MDM device). Azure AD risk engine may flag as 'unfamiliarFeatures' risk detection, incrementing RiskLevelAggregated. The sign-in will result in a redirect (not a full authentication) but is still captured in logs.

  3. Test 3Credential Stuffing Simulation Against Social Identity Federated Account

    Expected signal: Azure AD SigninLogs: 5 entries with ResultType=50126 (AADSTS50126: Invalid username or password) or 50053 (AADSTS50053: account locked) for TEST_USER within a 20-second window. IPAddress and UserAgent fields match curl defaults. Azure AD Identity Protection may generate 'Password spray' or 'Leaked credentials' risk detection. This simulates the upstream account compromise that precedes T1586.001 use against a victim organization.

  4. Test 4Corporate Social Media Account Exposure Enumeration (Authorized OSINT)

    Expected signal: DNS queries to linkedin.com, github.com from the network running this script — visible in proxy and DNS logs. No authentication events generated against the target organization's Azure AD. GitHub API calls logged in GitHub audit log if an org membership query is made.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1586.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1586Compromise Accounts

Related Sub-techniques

T1586.002Email AccountsT1586.003Cloud Accounts

Related Techniques

T1586Compromise AccountsT1585.001Social Media AccountsT1566.003Spearphishing via ServiceT1598.003Spearphishing LinkT1539Steal Web Session CookieT1111Multi-Factor Authentication InterceptionT1550.001Application Access TokenT1078.004Cloud AccountsT1110.003Password Spraying

Same Tactic: Resource Development

Popular Detections