T1213.005 Messaging Applications
Adversaries may leverage chat and messaging applications, such as Microsoft Teams, Google Chat, and Slack, to mine valuable information.
The following is a brief list of example information that may hold potential value to an adversary and may also be found on messaging applications:
- Testing / development credentials (i.e., Chat Messages)
- Source code snippets
- Links to network shares and other internal resources
- Proprietary data4
- Discussions about ongoing incident response efforts35
In addition to exfiltrating data from messaging applications, adversaries may leverage data from chat messages in order to improve their targeting - for example, by learning more about an environment or evading ongoing incident response efforts.12
| Item | Value |
|---|---|
| ID | T1213.005 |
| Sub-techniques | T1213.001, T1213.002, T1213.003, T1213.004, T1213.005, T1213.006 |
| Tactics | TA0009 |
| Platforms | Office Suite, SaaS |
| Version | 1.0 |
| Created | 30 August 2024 |
| Last Modified | 15 April 2025 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| G0117 | Fox Kitten | Fox Kitten has accessed victim security and IT environments and Microsoft Teams to mine valuable information.7 |
| G1004 | LAPSUS$ | LAPSUS$ has searched a victim’s network for organization collaboration channels like MS Teams or Slack to discover further high-privilege account credentials.9 |
| G1015 | Scattered Spider | Scattered Spider threat actors search the victim’s Slack and Microsoft Teams for conversations about the intrusion and incident response.8 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1047 | Audit | Preemptively search through communication services to find inappropriately shared data, and take actions to reduce exposure when found. |
| M1060 | Out-of-Band Communications Channel | Implement secure out-of-band communication channels to use as an alternative to in-network chat applications during a security incident. This ensures that critical communications remain secure even if primary messaging channels are compromised by adversaries.6 |
| M1017 | User Training | Develop and publish policies that define acceptable information to be posted in chat applications. |
References
-
Jim Walter. (2024, July 16). NullBulge | Threat Actor Masquerades as Hacktivist Group Rebelling Against AI. Retrieved August 30, 2024. ↩
-
Ian Ahl. (2023, September 20). LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD. Retrieved September 25, 2023. ↩
-
Joe Uchill. (2021, December 3). Ragnar Locker reminds breach victims it can read the on-network incident response chat rooms. Retrieved August 30, 2024. ↩
-
Keza MacDonald, Keith Stuart and Alex Hern. (2022, September 19). Grand Theft Auto 6 leak: who hacked Rockstar and what was stolen?. Retrieved August 30, 2024. ↩
-
Microsoft. (2022, March 22). DEV-0537 criminal actor targeting organizations for data exfiltration and destruction. Retrieved March 23, 2022. ↩
-
Tyler Hudak. (2022, December 29). To OOB, or Not to OOB?: Why Out-of-Band Communications are Essential for Incident Response. Retrieved August 30, 2024. ↩
-
CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020. ↩
-
CISA. (2023, November 16). Cybersecurity Advisory: Scattered Spider (AA23-320A). Retrieved March 18, 2024. ↩
-
MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022. ↩