1. Home
  2. Techniques
  3. Enterprise
  4. Data from Information Repositories
  5. Messaging Applications

Data from Information Repositories: Messaging Applications

ID Name
T1213.001 Confluence
T1213.002 Sharepoint
T1213.003 Code Repositories
T1213.004 Customer Relationship Management Software
T1213.005 Messaging Applications
T1213.006 Databases

Adversaries may leverage chat and messaging applications, such as Microsoft Teams, Google Chat, and Slack, to mine valuable information.

The following is a brief list of example information that may hold potential value to an adversary and may also be found on messaging applications:

  • Testing / development credentials (i.e., Chat Messages)
  • Source code snippets
  • Links to network shares and other internal resources
  • Proprietary data[1]
  • Discussions about ongoing incident response efforts[2][3]

In addition to exfiltrating data from messaging applications, adversaries may leverage data from chat messages in order to improve their targeting - for example, by learning more about an environment or evading ongoing incident response efforts.[4][5]

ID: T1213.005
Sub-technique of:  T1213
Tactic: Collection
Platforms: Office Suite, SaaS
Contributors: Menachem Goldstein; Obsidian Security
Version: 1.0
Created: 30 August 2024
Last Modified: 15 April 2025
Version Permalink

Procedure Examples

ID Name Description
G0117 Fox Kitten

Fox Kitten has accessed victim security and IT environments and Microsoft Teams to mine valuable information.[6]
G1004 LAPSUS$

LAPSUS$ has searched a victim's network for organization collaboration channels like MS Teams or Slack to discover further high-privilege account credentials.[7]
G1015 Scattered Spider

Scattered Spider threat actors search the victim’s Slack and Microsoft Teams for conversations about the intrusion and incident response.[8]

Mitigations

ID Mitigation Description
M1047 Audit

Preemptively search through communication services to find inappropriately shared data, and take actions to reduce exposure when found.

M1060 Out-of-Band Communications Channel

Implement secure out-of-band communication channels to use as an alternative to in-network chat applications during a security incident. This ensures that critical communications remain secure even if primary messaging channels are compromised by adversaries.[9]
M1017 User Training

Develop and publish policies that define acceptable information to be posted in chat applications.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0567 Detecting Unauthorized Collection from Messaging Applications in SaaS and Office Environments AN1565

Atypical access to Slack or Teams conversations via APIs, automation tokens, or bulk message export functionality, particularly after an account takeover or rare sign-in pattern. Often includes mass retrieval of chat history, download of message content, or scraping of workspace/channel metadata.
AN1566

Suspicious access to Microsoft Teams chat messages via eDiscovery, Graph API, or export methods after rare or compromised sign-in. Often associated with excessive file access, sensitive content review, or anomaly from expected user behavior.

References

  1. Keza MacDonald, Keith Stuart and Alex Hern. (2022, September 19). Grand Theft Auto 6 leak: who hacked Rockstar and what was stolen?. Retrieved August 30, 2024.
  2. Joe Uchill. (2021, December 3). Ragnar Locker reminds breach victims it can read the on-network incident response chat rooms. Retrieved August 30, 2024.
  3. Microsoft. (2022, March 22). DEV-0537 criminal actor targeting organizations for data exfiltration and destruction. Retrieved March 23, 2022.
  4. Jim Walter. (2024, July 16). NullBulge | Threat Actor Masquerades as Hacktivist Group Rebelling Against AI. Retrieved August 30, 2024.
  5. Ian Ahl. (2023, September 20). LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD. Retrieved September 25, 2023.
  1. CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020.
  2. MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022.
  3. CISA. (2023, November 16). Cybersecurity Advisory: Scattered Spider (AA23-320A). Retrieved March 18, 2024.
  4. Tyler Hudak. (2022, December 29). To OOB, or Not to OOB?: Why Out-of-Band Communications are Essential for Incident Response. Retrieved August 30, 2024.