T1593.001: Social Media
Adversaries may search social media for information about victims that can be used during targeting. Social media sites may contain various information about a victim organization, such as business announcements as well as information about the roles, locations, and interests of staff.
Adversaries may search in different social media sites depending on what information they seek to gather. Threat actors may passively harvest data from these sites, as well as use information gathered to create fake profiles/groups to elicit victim’s into revealing specific information (i.e. Spearphishing Service).[1] Information from these sources may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Technical Databases), establishing operational resources (ex: Establish Accounts or Compromise Accounts), and/or initial access (ex: Spearphishing via Service).
Analyst context for executives and security teams
Social Media is a pre-compromise reconnaissance behavior where adversaries use public social platforms to learn who works at an organization, what they do, where they are located, what business events are underway, and what interests or relationships could make targeting more believable. The business risk is not the social media search itself; it is that publicly available context can make phishing, fake profiles, account targeting, and later initial access attempts more credible.
Executive priority
Treat this as an exposure-management and readiness issue, not only a SOC alerting problem. Leaders should ask whether public-facing staff, executives, recruiters, developers, and sensitive business units are unintentionally publishing details that make impersonation or spearphishing easier. Priority should be placed on reducing unnecessary public information, preparing staff to recognize social-media-enabled approaches, and ensuring incident response playbooks account for pre-compromise reconnaissance that may precede phishing or account abuse.
Technical view
ATT&CK lists this sub-technique under Reconnaissance on the PRE platform, with no official detection text provided. Defensive validation should therefore focus on whether the organization can observe and investigate signals around suspicious social media engagement, fake profiles or groups, targeted outreach to employees, and follow-on behaviors referenced by ATT&CK such as Spearphishing Service, Phishing for Information, Search Open Technical Databases, Establish Accounts, Compromise Accounts, and Spearphishing via Service. Relationship context shows a detection strategy, DET0812 Detection of Social Media, and mitigation M1056 Pre-compromise, so teams should validate pre-compromise monitoring and attack-surface reduction rather than relying only on endpoint or network detections.
Likely telemetry
- Public social media presence and corporate account activity records where available
- Employee-reported suspicious social media messages, connection requests, groups, or fake profiles
- Security awareness and phishing-reporting submissions tied to social media contact
- Brand, executive, and impersonation monitoring findings
- Threat intelligence reporting on campaigns, groups, or techniques using social media reconnaissance
Detection direction
- Because MITRE provides no official detection guidance for this object, validate local detection coverage against DET0812 and documented pre-compromise monitoring use cases.
- Tune for suspicious patterns around impersonation, recruiter-style lures, unsolicited social outreach, and employee reports, while accounting for legitimate recruiting, sales, marketing, and partner engagement that can create false positives.
- Correlate social media reconnaissance indicators with follow-on phishing-for-information, spearphishing via service, suspicious account establishment, or account compromise activity.
- Confirm that SOC intake processes can preserve employee reports and external evidence from social platforms before content or profiles disappear.
- Use relationship context cautiously: Operation Dream Job, Kimsuky, EXOTIC LILY, and Contagious Interview are listed as using this behavior, but that does not imply those actors are present in a given environment.
Mitigation priorities
- Apply M1056 Pre-compromise principles by limiting unnecessary public information that reveals staff roles, locations, internal projects, business changes, or sensitive operating context.
- Provide role-based guidance for executives, recruiters, developers, public-facing staff, and high-risk business units on safe social media disclosure and suspicious outreach reporting.
- Maintain processes for brand, executive, and employee impersonation reporting and takedown coordination with social platforms where appropriate.
- Integrate social-media-enabled reconnaissance scenarios into security awareness, phishing simulations, and incident response playbooks.
- Review whether public announcements, hiring posts, and staff profiles expose information that could assist targeting or fake-profile pretexting.
Analyst notes and limits
This technique is most useful for prioritizing pre-compromise controls and investigation context. It often becomes material when combined with related behaviors such as phishing for information, spearphishing via service, establishing accounts, or compromising accounts. Detection engineering should emphasize correlation and reporting workflows rather than expecting a single high-fidelity technical alert.
The supplied ATT&CK object provides no official detection text and identifies only the PRE platform. The mitigation relationship description is truncated in the supplied data. Any assessment of exposure, actor activity, or detection coverage requires local evidence from public-facing content, employee reports, social platform processes, identity telemetry, and follow-on phishing or account activity.
Social Media
Adversaries may search social media for information about victims that can be used during targeting. Social media sites may contain various information about a victim organization, such as business announcements as well as information about the roles, locations, and interests of staff.
Adversaries may search in different social media sites depending on what information they seek to gather. Threat actors may passively harvest data from these sites, as well as use information gathered to create fake profiles/groups to elicit victim’s into revealing specific information (i.e. Spearphishing Service).[1] Information from these sources may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Technical Databases), establishing operational resources (ex: Establish Accounts or Compromise Accounts), and/or initial access (ex: Spearphishing via Service).
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1593 | Search Open Websites/Domains | This object subtechnique of Search Open Websites/Domains. |
Groups, software, and campaigns
G0094: Kimsuky
Kimsuky is a Democratic People's Republic of Korea (DPRK)-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. Kimsuky has focused collection on foreign policy and national security issues tied to the Korean Peninsula, nuclear policy, and sanctions. Kimsuky operations have overlapped with those of other North Korean state-sponsored cyber espionage actors as a result of ad hoc collaborations or other limited resource sharing.[1][2][3][4][5][6]
Kimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).[7][8][9] In 2023, Kimsuky was observed using commercial large language models (LLMs) to assist with vulnerability research, scripting, social engineering and reconnaissance.[10]
DPRK threat actor cluster boundaries overlap in open source reporting, with some security researchers consolidating all attributed North Korean state-sponsored cyber activity under Lazarus Group, rather than tracking operationally distinct subgroups.
G1052: Contagious Interview
Contagious Interview is a North Korea–aligned threat group active since 2023. The group conducts both cyberespionage and financially motivated operations, including the theft of cryptocurrency and user credentials. Contagious Interview targets Windows, Linux, and macOS systems, with a particular focus on individuals engaged in software development and cryptocurrency-related activities. [1][2][3][4][5][6][7][8]
G1011: EXOTIC LILY
EXOTIC LILY is a financially motivated group that has been closely linked with Wizard Spider and the deployment of ransomware including Conti and Diavol. EXOTIC LILY may be acting as an initial access broker for other malicious actors, and has targeted a wide range of industries including IT, cybersecurity, and healthcare since at least September 2021.[1]
C0022: Operation Dream Job
Operation Dream Job was a cyber espionage operation likely conducted by Lazarus Group that targeted the defense, aerospace, government, and other sectors in the United States, Israel, Australia, Russia, and India. In at least one case, the cyber actors tried to monetize their network access to conduct a business email compromise (BEC) operation. In 2020, security researchers noted overlapping TTPs, to include fake job lures and code similarities, between Operation Dream Job, Operation North Star, and Operation Interception; by 2022 security researchers described Operation Dream Job as an umbrella term covering both Operation Interception and Operation North Star.[1][2][3][4]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 890a6fa77da7… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Cyware Social Media
Cyware Hacker News. (2019, October 2). How Hackers Exploit Social Media To Break Into Your Company. Retrieved October 20, 2020.
Open source URL -
[2]
mitre-attack T1593.001Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.