title: Social Media Accounts (T1585.001)
id: df00tech-t1585-001
status: experimental
description: "Adversaries create and cultivate fake or impersonation social media accounts to build credible personas for use in targeting operations. These accounts may impersonate real employees, HR staff, recruiters, or industry contacts to establish trust before launching spearphishing, credential harvesting, or intelligence-gathering campaigns. Detection focuses on downstream observables: inbound social engineering emails referencing social media profiles, employees receiving suspicious connection or recruitment messages, and threat intelligence correlation identifying accounts impersonating your organization's staff. Real-world examples include HEXANE creating fake LinkedIn HR accounts offering jobs, CURIUM building networks of fictitious profiles posing as attractive contacts, Scattered Spider creating matching fake social media accounts to support identity theft, and EXOTIC LILY mimicking target company employees to gain trust before delivering malware."
references:
  - https://attack.mitre.org/techniques/T1585/001/
  - https://df00tech.com/detections/T1585.001
author: df00tech
date: 2026/04/13
tags:
  - attack.t1585.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate external recruiters using LinkedIn InMail or email to contact employees about real job opportunities
  - HR teams running internal talent acquisition campaigns referencing social media profiles
  - Marketing or PR staff receiving social media collaboration or partnership outreach
  - Security awareness training simulations sending test phishing emails with social media themes
  - Industry event organizers sending networking invitations with social media links
level: medium