T1586.001: Social Media Accounts
Adversaries may compromise social media accounts that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating social media profiles (i.e. Social Media Accounts), adversaries may compromise existing social media accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona.
A variety of methods exist for compromising social media accounts, such as gathering credentials via Phishing for Information, purchasing credentials from third-party sites, or by brute forcing credentials (ex: password reuse from breach credential dumps).[1] Prior to compromising social media accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation.
Personas may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, etc.). Compromised social media accounts may require additional development, this could include filling out or modifying profile information, further developing social networks, or incorporating photos.
Adversaries can use a compromised social media profile to create new, or hijack existing, connections to targets of interest. These connections may be direct or may include trying to connect through others.[2][3] Compromised profiles may be leveraged during other phases of the adversary lifecycle, such as during Initial Access (ex: Spearphishing via Service).
Analyst context for executives and security teams
Compromised social media accounts matter because they can turn trusted online relationships into a pretext for targeting employees, executives, partners, or other people of interest. This is a pre-compromise resource-development behavior: the attacker is preparing credibility before an intrusion attempt, often to support later social engineering such as spearphishing via a service. For leaders, the risk is not just “social media misuse,” but loss of trust in identity signals outside enterprise control.
Executive priority
Prioritize this as an early-warning and resilience issue for high-risk roles, sensitive business functions, and organizations exposed to social engineering. Ask whether security programs cover pre-compromise activity, not only malware and endpoint events. Useful governance questions include: which executives or teams are most likely to be targeted through trusted social networks, what evidence can the organization collect or preserve when a suspicious outreach occurs, and how incident response coordinates with communications, legal, HR, and affected third-party platforms.
Technical view
This ATT&CK object is a PRE-platform, resource-development sub-technique of Compromise Accounts. MITRE provides no official detection text, so SOC and detection engineering should avoid assuming direct technical visibility. Validate processes for reporting and triaging suspicious social media outreach, account impersonation concerns, unusual connection requests, and messages that move users toward credential collection or spearphishing via service. Relationship context indicates a detection strategy exists as DET0870, and mitigation is aligned to M1056 Pre-compromise: reducing attack surface and identifying adversarial preparation before exploitation.
Likely telemetry
- User-reported suspicious social media messages, connection requests, or profile changes involving trusted personas
- Security awareness and phishing-reporting submissions that include social media lures or external service links
- Identity and access management events if social media contact leads to credential phishing or attempted account use
- Email, web proxy, DNS, or secure web gateway logs for links delivered through social platforms and later accessed from corporate devices
- Incident response case notes, screenshots, URLs, account names, timestamps, and platform abuse-report records
Detection direction
- Treat this as weakly observable from enterprise telemetry unless employees report it or links are followed from managed environments.
- Tune triage playbooks to connect suspicious social media outreach with later phishing, credential harvesting, or spearphishing-via-service activity.
- Prioritize validation for high-value targets such as executives, administrators, business development, recruiting, legal, finance, and personnel with sensitive partner relationships.
- Account for false positives: legitimate networking, recruiting, sales outreach, and personal communications can resemble early targeting without additional context.
- Use relationship context carefully: ATT&CK maps Sandworm Team and Leviathan as users of this behavior, but the supplied data does not justify attributing local activity to those groups.
Mitigation priorities
- Implement pre-compromise controls consistent with M1056: reduce exposed information that helps adversaries choose or impersonate trusted personas.
- Provide role-based awareness for personnel likely to receive trusted-persona social engineering, including how to preserve and report suspicious social media interactions.
- Define IR handling for social media-originated targeting, including evidence capture, internal escalation, and coordination with platform abuse channels where appropriate.
- Strengthen downstream defenses because the compromised profile may only be the delivery path: credential phishing resistance, MFA, secure link handling, and phishing-report workflows remain important.
- Review executive and brand exposure periodically so the organization can distinguish legitimate public presence from suspicious relationship-building activity.
Analyst notes and limits
The object describes adversaries compromising existing social media accounts rather than creating new personas, using the credibility of known relationships to support targeting. External references include historical reporting on compromised credentials and social media-based operations. The ATT&CK relationship set includes DET0870 as a detection strategy, M1056 as mitigation, parent technique T1586, and group-use relationships for Sandworm Team and Leviathan.
MITRE provides no official detection guidance for this object, and the platform is PRE, meaning many indicators occur outside enterprise-controlled systems. Local conclusions require organization-specific reporting, telemetry, and context from affected users or social media platforms. This take does not assert active exploitation, attribution, or guaranteed detection coverage.
Social Media Accounts
Adversaries may compromise social media accounts that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating social media profiles (i.e. Social Media Accounts), adversaries may compromise existing social media accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona.
A variety of methods exist for compromising social media accounts, such as gathering credentials via Phishing for Information, purchasing credentials from third-party sites, or by brute forcing credentials (ex: password reuse from breach credential dumps).[1] Prior to compromising social media accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation.
Personas may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, etc.). Compromised social media accounts may require additional development, this could include filling out or modifying profile information, further developing social networks, or incorporating photos.
Adversaries can use a compromised social media profile to create new, or hijack existing, connections to targets of interest. These connections may be direct or may include trying to connect through others.[2][3] Compromised profiles may be leveraged during other phases of the adversary lifecycle, such as during Initial Access (ex: Spearphishing via Service).
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1586 | Compromise Accounts | This object subtechnique of Compromise Accounts. |
Groups, software, and campaigns
G0034: Sandworm Team
Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.[1][2] This group has been active since at least 2009.[3][4][5][6]
In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.[1][2] Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.[7]
G0065: Leviathan
Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.[1] Active since at least 2009, Leviathan has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Australia, Europe, the Middle East, and Southeast Asia.[1][2][3][4]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | f3f5248fc0e7… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
AnonHBGary
Bright, P. (2011, February 15). Anonymous speaks: the inside story of the HBGary hack. Retrieved March 9, 2017.
Open source URL -
[2]
NEWSCASTER2014
Lennon, M. (2014, May 29). Iranian Hackers Targeted US Officials in Elaborate Social Media Attack Operation. Retrieved March 1, 2017.
Open source URL -
[3]
BlackHatRobinSage
Ryan, T. (2010). “Getting In Bed with Robin Sage.”. Retrieved March 6, 2017.
Open source URL -
[4]
mitre-attack T1586.001Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.