Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0870: Detection of Social Media Accounts

DET0870 is a MITRE detection strategy for identifying activity related to compromised social media accounts, which maps to ATT&CK T1586.001. The business s...

EnterpriseDET0870Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0870 is a MITRE detection strategy for identifying activity related to compromised social media accounts, which maps to ATT&CK T1586.001. The business significance is that this behavior sits before intrusion: an adversary may use a trusted existing persona to support targeting or social engineering. That makes it relevant to executive protection, brand trust, phishing readiness, and incident triage even though the ATT&CK object provides no official detection logic.

Executive priority

Treat this as a resilience and risk-governance question, not just a SOC rule. Leaders should ask whether the organization knows which social media accounts matter to the business, who owns them, how compromise would be reported, and whether incidents involving trusted online personas are captured in phishing, fraud, executive protection, and incident response processes. Because the related technique is resource development on PRE, coverage may depend on threat intelligence, reporting workflows, and identity governance more than traditional endpoint alerts.

Technical view

SOC and IR teams should validate how they would receive and correlate reports involving compromised or suspicious social media personas used in targeting. Since the detection strategy has no official ATT&CK detection text and no specified platforms or tactics, teams should avoid assuming SIEM coverage exists. Useful validation should focus on whether social engineering reports, brand or executive account monitoring, identity events for organization-managed social accounts, and threat intelligence observations can be connected to suspected targeting activity mapped to T1586.001.

Likely telemetry

  • Inventory of organization-managed or business-critical social media accounts, where maintained
  • Authentication, recovery, and administrative-change records for managed social media accounts, where available from the provider or account owner
  • User-reported suspicious outreach, phishing, impersonation, or social engineering attempts involving social media personas
  • Threat intelligence or open-source monitoring observations about suspicious use of existing social profiles
  • Incident response case notes linking social media contact to attempted targeting

Detection direction

  • Confirm whether DET0870 is being treated as a PRE/resource-development detection use case tied to T1586.001, not as an endpoint-only analytic.
  • Validate intake paths for employee, executive, customer-facing, and brand-team reports involving suspicious social media outreach.
  • Tune triage to distinguish compromised existing accounts from newly created impersonation accounts, because the related ATT&CK technique specifically concerns compromised social media accounts.
  • Document blind spots where social media provider logs, account ownership, or monitoring authority are unavailable.
  • Use relationship context to enrich phishing and social engineering cases when the observed persona appears to be an existing trusted account.

Mitigation priorities

  • Establish ownership and inventory for business-critical social media accounts before relying on detection.
  • Require clear reporting and escalation paths for suspected social media account compromise or suspicious outreach.
  • Integrate social media-related reports into phishing, fraud, executive protection, and incident response workflows.
  • Review access governance for organization-managed social media accounts, including account recovery and administrative change control where available.
  • Use tabletop or detection validation exercises to test how PRE-stage social media targeting would be recognized and escalated.
Analyst notes and limits

The ATT&CK object is a detection strategy named “Detection of Social Media Accounts” with external ID DET0870. It detects T1586.001, Social Media Accounts, which describes adversaries compromising social media accounts that can be used during targeting and social engineering. The value of this object is mainly in coverage planning and case enrichment because the official object does not provide a detection description, analytic logic, platforms, or tactics.

Official description and detection fields are not provided, and the detection strategy has no specified platforms or tactics. Recommendations therefore remain high-level and should be validated against local account ownership, provider log availability, monitoring authority, and reporting processes. No active exploitation, attribution, or guaranteed detection coverage is implied.

Official MITRE ATT&CK definition

Detection of Social Media Accounts

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1586.001 Social Media Accounts Sub-technique This object detects Social Media Accounts.
Relationship explorer

All related ATT&CK context

detects · Technique T1586.001: Social Media Accounts Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
84e1ebeeb3ff4151...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 84e1ebeeb3ff…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0870
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use