Skip to content

DET0567 Detecting Unauthorized Collection from Messaging Applications in SaaS and Office Environments

Item Value
ID DET0567
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1213.005 (Messaging Applications)

Analytics

SaaS

AN1565

Atypical access to Slack or Teams conversations via APIs, automation tokens, or bulk message export functionality, particularly after an account takeover or rare sign-in pattern. Often includes mass retrieval of chat history, download of message content, or scraping of workspace/channel metadata.

Log Sources
Data Component Name Channel
Application Log Content (DC0038) saas:slack conversations.history, files.list, users.info, audit_logs
Logon Session Creation (DC0067) m365:signinlogs UserLoggedIn
Mutable Elements
Field Description
TimeWindow Time interval to observe post-login message scraping behavior
MessageExportThreshold Number of messages or files accessed/downloaded to flag for review
UserContext User privilege level, team membership, or role context to suppress false positives
AccessMethod Direct user access vs API token, OAuth app, or bot interaction

Office Suite

AN1566

Suspicious access to Microsoft Teams chat messages via eDiscovery, Graph API, or export methods after rare or compromised sign-in. Often associated with excessive file access, sensitive content review, or anomaly from expected user behavior.

Log Sources
Data Component Name Channel
Application Log Content (DC0038) m365:unified TeamsMessagesAccessedViaEDiscovery, TeamsGraphMessageExport
Logon Session Creation (DC0067) m365:signinlogs UserLoggedIn
Mutable Elements
Field Description
UserRole Whether user is part of InfoSec, Legal, or expected to use Teams eDiscovery tools
GeoRiskScore Unusual country/IP sign-in patterns prior to Teams data export
AccessVolume Message or file threshold for triggering alert