title: Social Media Accounts (T1586.001)
id: df00tech-t1586-001
status: experimental
description: "Adversaries may compromise existing social media accounts to conduct operations against target organizations. Rather than creating new personas, adversaries compromise legitimate accounts to leverage existing trust relationships and follower networks. Compromised accounts are used to deliver spearphishing messages via social platforms (T1566.003), conduct OAuth-based initial access attacks, or establish connections with target employees as a precursor to further social engineering. Threat groups including Sandworm Team (credential capture webpages) and Leviathan/APT40 (social engineering campaigns) have leveraged compromised social media accounts in operations. Detection focuses on observable effects when compromised accounts interact with the organization: anomalous OAuth authentication events using social identity providers, suspicious OAuth consent grants that may follow social media phishing, and Microsoft Defender for Cloud Apps anomalies on monitored corporate social accounts."
references:
  - https://attack.mitre.org/techniques/T1586/001/
  - https://df00tech.com/detections/T1586.001
author: df00tech
date: 2026/04/13
tags:
  - attack.t1586.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Employees traveling internationally who use social identity provider SSO to access corporate applications, generating legitimate sign-ins from foreign country codes"
  - Developers using GitHub or Google OAuth to access internal developer tools and cloud services from personal non-compliant devices outside MDM enrollment
  - "Service accounts or CI/CD pipelines using OAuth federation with social identity providers for non-interactive automation (GitHub Actions, Google Cloud service accounts)"
  - Employees using corporate VPN with split tunneling that causes their exit IP to appear in a high-risk country classification despite being physically in a legitimate location
  - New employees authenticating via social identity providers before their corporate device completes MDM enrollment and appears compliant in Azure AD
level: medium