T1585: Establish Accounts
Adversaries may create and cultivate accounts with services that can be used during targeting. Adversaries can create accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations. This development could be applied to social media, website, or other publicly available information that could be referenced and scrutinized for legitimacy over the course of an operation using that persona or identity.[1][2]
For operations incorporating social engineering, the utilization of an online persona may be important. These personas may be fictitious or impersonate real people. The persona may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, GitHub, Docker Hub, etc.). Establishing a persona may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos.[1][2]
Establishing accounts can also include the creation of accounts with email providers, which may be directly leveraged for Phishing for Information or Phishing.[3] In addition, establishing accounts may allow adversaries to abuse free services, such as registering for trial periods to Acquire Infrastructure for malicious purposes.[4]
Analyst context for executives and security teams
Establish Accounts is a pre-compromise behavior where adversaries create online identities, email accounts, social media profiles, or cloud accounts to make later targeting look legitimate. For leaders, the risk is not the account creation itself but the trust it can manufacture before phishing, vishing, cloud abuse, or infrastructure setup reaches the organization.
Executive priority
Treat this as an early-warning and resilience issue: can the organization recognize suspicious personas or newly created external accounts before they influence employees, customers, partners, or cloud workflows? Priority areas include social-engineering readiness, brand and executive impersonation monitoring, phishing response processes, cloud abuse visibility, and evidence that pre-compromise controls are in place for audit and risk reviews.
Technical view
This technique sits in Resource Development on the PRE platform, so much of the activity occurs outside enterprise endpoints and networks. SOC and IR teams should validate whether DET0873 or an equivalent detection strategy is operational, but should not assume standard endpoint telemetry will see this behavior. Detection should focus on relationship-driven context from the sub-techniques: social media accounts, email accounts, and cloud accounts that may support later phishing, phishing for information, acquisition of infrastructure, cloud storage use, or tool staging as described by ATT&CK relationships.
Likely telemetry
- External brand, executive, employee, and recruiter/persona impersonation monitoring results
- Reports from employees, partners, or customers about suspicious social media or professional networking profiles
- Inbound email security logs, headers, sender domains, account age/reputation signals where available, and phishing-report mailbox submissions
- Cloud security and abuse monitoring related to suspicious use of free trials, cloud storage, or newly observed external cloud resources
- Threat intelligence reporting that links observed personas, emails, or cloud accounts to known campaigns, groups, or ATT&CK sub-techniques
Detection direction
- Confirm whether DET0873 is implemented and what evidence sources it depends on; ATT&CK provides no official detection text for this object.
- Tune detections around suspicious external personas and accounts in context, not account existence alone, because legitimate new accounts are common.
- Correlate suspicious personas with inbound phishing, phishing-for-information, vishing reports, cloud storage links, or infrastructure acquisition indicators when available.
- Validate intake paths for human reporting; employees and partners may be the first sensors for fake profiles or cultivated personas.
- Watch for blind spots where activity occurs entirely on third-party platforms that the organization does not log directly.
Mitigation priorities
- Apply M1056 Pre-compromise mitigations: reduce exposed information that helps adversaries build believable personas and targeting narratives.
- Strengthen security awareness and reporting workflows for suspicious social media, email, recruiter, partner, or executive impersonation contact.
- Maintain clear processes for takedown, legal, communications, and incident response escalation when fake accounts or personas are identified.
- Harden email and cloud-facing controls so accounts created externally are less useful for phishing, trial abuse, or malicious cloud resource use.
- Use threat intelligence and brand monitoring to identify adversarial preparation before it becomes credential theft, data access, or extortion activity.
Analyst notes and limits
ATT&CK maps this technique to multiple sub-techniques—Social Media Accounts, Email Accounts, and Cloud Accounts—and to several groups and a campaign in the supplied relationships. Those mappings show relevance across threat reporting, but they do not prove current activity against any specific organization. The Salesforce Data Exfiltration campaign relationship is useful for understanding how pre-compromise accounts can support social-engineering-led operations, while remaining careful not to infer local exposure.
Official ATT&CK detection guidance is not provided for T1585, and PRE-platform activity often happens outside direct enterprise visibility. Local confidence depends on third-party monitoring coverage, employee reporting quality, email/cloud telemetry retention, and the organization’s ability to correlate external personas with later events.
Establish Accounts
Adversaries may create and cultivate accounts with services that can be used during targeting. Adversaries can create accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations. This development could be applied to social media, website, or other publicly available information that could be referenced and scrutinized for legitimacy over the course of an operation using that persona or identity.[1][2]
For operations incorporating social engineering, the utilization of an online persona may be important. These personas may be fictitious or impersonate real people. The persona may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, GitHub, Docker Hub, etc.). Establishing a persona may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos.[1][2]
Establishing accounts can also include the creation of accounts with email providers, which may be directly leveraged for Phishing for Information or Phishing.[3] In addition, establishing accounts may allow adversaries to abuse free services, such as registering for trial periods to Acquire Infrastructure for malicious purposes.[4]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1585.003 | Cloud Accounts Sub-technique | Cloud Accounts subtechnique of this object. |
| Enterprise | T1585.002 | Email Accounts Sub-technique | Email Accounts subtechnique of this object. |
| Enterprise | T1585.001 | Social Media Accounts Sub-technique | Social Media Accounts subtechnique of this object. |
Groups, software, and campaigns
G1052: Contagious Interview
Contagious Interview is a North Korea–aligned threat group active since 2023. The group conducts both cyberespionage and financially motivated operations, including the theft of cryptocurrency and user credentials. Contagious Interview targets Windows, Linux, and macOS systems, with a particular focus on individuals engaged in software development and cryptocurrency-related activities. [1][2][3][4][5][6][7][8]
G0117: Fox Kitten
Fox Kitten is threat actor with a suspected nexus to the Iranian government that has been active since at least 2017 against entities in the Middle East, North Africa, Europe, Australia, and North America. Fox Kitten has targeted multiple industrial verticals including oil and gas, technology, government, defense, healthcare, manufacturing, and engineering.[1][2][3][4]
G0094: Kimsuky
Kimsuky is a Democratic People's Republic of Korea (DPRK)-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. Kimsuky has focused collection on foreign policy and national security issues tied to the Korean Peninsula, nuclear policy, and sanctions. Kimsuky operations have overlapped with those of other North Korean state-sponsored cyber espionage actors as a result of ad hoc collaborations or other limited resource sharing.[1][2][3][4][5][6]
Kimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).[7][8][9] In 2023, Kimsuky was observed using commercial large language models (LLMs) to assist with vulnerability research, scripting, social engineering and reconnaissance.[10]
DPRK threat actor cluster boundaries overlap in open source reporting, with some security researchers consolidating all attributed North Korean state-sponsored cyber activity under Lazarus Group, rather than tracking operationally distinct subgroups.
G1003: Ember Bear
Ember Bear is a Russian state-sponsored cyber espionage group that has been active since at least 2020, linked to Russia's General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155).[1] Ember Bear has primarily focused operations against Ukrainian government and telecommunication entities, but has also operated against critical infrastructure entities in Europe and the Americas.[2] Ember Bear conducted the WhisperGate destructive wiper attacks against Ukraine in early 2022.[3][4][1] There is some confusion as to whether Ember Bear overlaps with another Russian-linked entity referred to as Saint Bear. At present available evidence strongly suggests these are distinct activities with different behavioral profiles.[2][5]
G0025: APT17
C0059: Salesforce Data Exfiltration
The Salesforce Data Exfiltration campaign began in October 2024 with financially-motivated threat actor UNC6040 using Spearphishing Voice (vishing) to compromise corporate Salesforce instances for large-scale data theft and extortion. Following the initial data theft, victim organizations received extortion demands from a separate threat actor, UNC6240, who claimed to be the “ShinyHunters” group. The observed infrastructure and TTPs used during the Salesforce Data Exfiltration campaign overlap with those used by threat groups with suspected ties to the broader collective known as "The Com.” These overlaps could plausibly be the result of associated actors operating within the same communities and are not necessarily an indication of a direct operational relationship.[1][2]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | 9ae8f538dc34… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
NEWSCASTER2014
Lennon, M. (2014, May 29). Iranian Hackers Targeted US Officials in Elaborate Social Media Attack Operation. Retrieved March 1, 2017.
Open source URL -
[2]
BlackHatRobinSage
Ryan, T. (2010). “Getting In Bed with Robin Sage.”. Retrieved March 6, 2017.
Open source URL -
[3]
Mandiant APT1
Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
Open source URL -
[4]
Free Trial PurpleUrchin
Gamazo, William. Quist, Nathaniel.. (2023, January 5). PurpleUrchin Bypasses CAPTCHA and Steals Cloud Platform Resources. Retrieved February 28, 2024.
Open source URL -
[5]
mitre-attack T1585Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.