1. Home
  2. Techniques
  3. Enterprise
  4. Data from Information Repositories
  5. Messaging Applications

Data from Information Repositories: Messaging Applications

ID Name
T1213.001 Confluence
T1213.002 Sharepoint
T1213.003 Code Repositories
T1213.004 Customer Relationship Management Software
T1213.005 Messaging Applications

Adversaries may leverage chat and messaging applications, such as Microsoft Teams, Google Chat, and Slack, to mine valuable information.

The following is a brief list of example information that may hold potential value to an adversary and may also be found on messaging applications:

  • Testing / development credentials (i.e., Chat Messages)
  • Source code snippets
  • Links to network shares and other internal resources
  • Proprietary data[1]
  • Discussions about ongoing incident response efforts[2][3]

In addition to exfiltrating data from messaging applications, adversaries may leverage data from chat messages in order to improve their targeting - for example, by learning more about an environment or evading ongoing incident response efforts.[4][5]

ID: T1213.005
Sub-technique of:  T1213
Tactic: Collection
Platforms: Office Suite, SaaS
Contributors: Menachem Goldstein; Obsidian Security
Version: 1.0
Created: 30 August 2024
Last Modified: 16 October 2024
Version Permalink

Procedure Examples

ID Name Description
G0117 Fox Kitten

Fox Kitten has accessed victim security and IT environments and Microsoft Teams to mine valuable information.[6]
G1004 LAPSUS$

LAPSUS$ has searched a victim's network for organization collaboration channels like MS Teams or Slack to discover further high-privilege account credentials.[7]
G1015 Scattered Spider

Scattered Spider threat actors search the victim’s Slack and Microsoft Teams for conversations about the intrusion and incident response.[8]

Mitigations

ID Mitigation Description
M1047 Audit

Preemptively search through communication services to find inappropriately shared data, and take actions to reduce exposure when found.

M1060 Out-of-Band Communications Channel

Implement secure out-of-band communication channels to use as an alternative to in-network chat applications during a security incident. This ensures that critical communications remain secure even if primary messaging channels are compromised by adversaries.[9]
M1017 User Training

Develop and publish policies that define acceptable information to be posted in chat applications.

Detection

ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Monitor for third-party application logging, messaging, and/or other artifacts that may leverage code repositories to collect valuable information. Monitor access to messaging applications, especially performed by privileged users such as Active Directory Domain or Enterprise Administrators as these types of accounts should generally not be used to access messaging applications. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user-based anomalies.

References

  1. Keza MacDonald, Keith Stuart and Alex Hern. (2022, September 19). Grand Theft Auto 6 leak: who hacked Rockstar and what was stolen?. Retrieved August 30, 2024.
  2. Joe Uchill. (2021, December 3). Ragnar Locker reminds breach victims it can read the on-network incident response chat rooms. Retrieved August 30, 2024.
  3. Microsoft. (2022, March 22). DEV-0537 criminal actor targeting organizations for data exfiltration and destruction. Retrieved March 23, 2022.
  4. Jim Walter. (2024, July 16). NullBulge | Threat Actor Masquerades as Hacktivist Group Rebelling Against AI. Retrieved August 30, 2024.
  5. Ian Ahl. (2023, September 20). LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD. Retrieved September 25, 2023.
  1. CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020.
  2. MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022.
  3. CISA. (2023, November 16). Cybersecurity Advisory: Scattered Spider (AA23-320A). Retrieved March 18, 2024.
  4. Tyler Hudak. (2022, December 29). To OOB, or Not to OOB?: Why Out-of-Band Communications are Essential for Incident Response. Retrieved August 30, 2024.