Data from Information Repositories: Messaging Applications

Adversaries may leverage chat and messaging applications, such as Microsoft Teams, Google Chat, and Slack, to mine valuable information.

The following is a brief list of example information that may hold potential value to an adversary and may also be found on messaging applications:

  • Testing / development credentials (i.e., Chat Messages)
  • Source code snippets
  • Links to network shares and other internal resources
  • Proprietary data[1]
  • Discussions about ongoing incident response efforts[2][3]

In addition to exfiltrating data from messaging applications, adversaries may leverage data from chat messages in order to improve their targeting - for example, by learning more about an environment or evading ongoing incident response efforts.[4][5]

ID: T1213.005
Sub-technique of:  T1213
Tactic: Collection
Platforms: Office Suite, SaaS
Contributors: Menachem Goldstein; Obsidian Security
Version: 1.0
Created: 30 August 2024
Last Modified: 16 October 2024

Procedure Examples

ID Name Description
G0117 Fox Kitten

Fox Kitten has accessed victim security and IT environments and Microsoft Teams to mine valuable information.[6]

G1004 LAPSUS$

LAPSUS$ has searched a victim's network for organization collaboration channels like MS Teams or Slack to discover further high-privilege account credentials.[7]

G1015 Scattered Spider

Scattered Spider threat actors search the victim’s Slack and Microsoft Teams for conversations about the intrusion and incident response.[8]

Mitigations

ID Mitigation Description
M1047 Audit

Preemptively search through communication services to find inappropriately shared data, and take actions to reduce exposure when found.

M1060 Out-of-Band Communications Channel

Implement secure out-of-band communication channels to use as an alternative to in-network chat applications during a security incident. This ensures that critical communications remain secure even if primary messaging channels are compromised by adversaries.[9]

M1017 User Training

Develop and publish policies that define acceptable information to be posted in chat applications.

Detection

ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Monitor for third-party application logging, messaging, and/or other artifacts that may leverage code repositories to collect valuable information. Monitor access to messaging applications, especially performed by privileged users such as Active Directory Domain or Enterprise Administrators as these types of accounts should generally not be used to access messaging applications. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user-based anomalies.

References