T1213.005

Messaging Applications

Adversaries may leverage chat and messaging applications, such as Microsoft Teams, Slack, and Google Chat, to mine valuable information including credentials, API keys, source code snippets, internal resource links, and proprietary data. Threat actors including Scattered Spider, LAPSUS$, and Fox Kitten have deliberately searched victim messaging platforms for credentials shared informally in chat, internal tooling documentation, and active incident response communications. This technique is particularly dangerous because employees routinely share sensitive information in messaging apps with an expectation of privacy, and because bulk message access by a compromised account often appears indistinguishable from normal user activity without behavioral baselining.

Microsoft Sentinel / Defender

kusto

// T1213.005 - Messaging Application Data Mining
// Detects bulk or suspicious access to Teams/Slack message content via MDCA and O365 audit logs
let LookbackPeriod = 24h;
let BulkEventThreshold = 100;
let SuspiciousExportOps = dynamic(["Export", "ContentSearch", "SearchExported", "ExportReport", "ViewedSearchExported", "BulkDownload", "SearchCreated"]);
// Branch 1: High-volume messaging app activity via Microsoft Defender for Cloud Apps
let CloudAppBulkAccess =
    CloudAppEvents
    | where Timestamp > ago(LookbackPeriod)
    | where AppName has_any ("Microsoft Teams", "Slack", "Google Chat", "Webex", "Workplace from Meta")
    | where ActionType in~ (
        "FileDownloaded", "FilePreviewed", "FileAccessed",
        "MessageRead", "ChannelRead",
        "SearchPerformed", "ItemShared"
    )
    | summarize
        EventCount = count(),
        UniqueActions = dcount(ActionType),
        Actions = make_set(ActionType, 10),
        UniqueChannels = dcount(tostring(RawEventData.ChannelName)),
        SourceIPs = make_set(IPAddress, 5),
        FirstSeen = min(Timestamp),
        LastSeen = max(Timestamp)
        by AccountDisplayName, AccountObjectId, AppName
    | where EventCount > BulkEventThreshold
    | extend DetectionSource = "CloudAppEvents", RiskIndicator = "High-volume messaging app data access";
// Branch 2: Microsoft 365 compliance/eDiscovery export of Teams data
let TeamsComplianceExport =
    OfficeActivity
    | where TimeGenerated > ago(LookbackPeriod)
    | where RecordType in ("MicrosoftTeams", "SecurityComplianceCenter")
    | where Operation has_any (SuspiciousExportOps)
    | summarize
        EventCount = count(),
        Operations = make_set(Operation, 10),
        UniqueActions = dcount(Operation),
        SourceIPs = make_set(ClientIP, 5),
        FirstSeen = min(TimeGenerated),
        LastSeen = max(TimeGenerated)
        by UserId, RecordType
    | extend AccountDisplayName = UserId, AccountObjectId = "",
             AppName = "Microsoft Teams (Compliance)",
             Actions = Operations, UniqueChannels = 0,
             DetectionSource = "OfficeActivity", RiskIndicator = "Teams compliance export/search operation";
// Combine results
union CloudAppBulkAccess, TeamsComplianceExport
| project FirstSeen, LastSeen, AccountDisplayName, AppName, SourceIPs,
          EventCount, UniqueActions, Actions, DetectionSource, RiskIndicator
| sort by EventCount desc

high severity medium confidence

Data Sources

Application Log: Application Log Content Microsoft Defender for Cloud Apps Microsoft 365 Unified Audit Log

Required Tables

CloudAppEvents OfficeActivity

False Positives

eDiscovery and compliance officers performing legitimate legal holds or audit-required content searches against Teams data — these accounts will consistently trigger the compliance export branch
Security operations analysts searching Teams or Slack for evidence during an authorized internal investigation or incident response engagement
Third-party backup and archival solutions (e.g., AvePoint, Skykick, Backupify, Datto SaaS) that systematically access all channels and generate high-volume access events
HR or legal personnel conducting authorized data subject access requests (DSARs) under GDPR or CCPA requirements
Automated monitoring bots or compliance integrations that continuously read message channels to enforce retention or DLP policies

Splunk

spl

// T1213.005 - Messaging Application Data Mining
// Detects bulk Teams/Slack data access via O365 Management Activity and Slack Enterprise audit logs
(
  index=o365 sourcetype="o365:management:activity"
  (Workload="MicrosoftTeams" OR Workload="SecurityComplianceCenter")
)
OR
(
  index=slack_audit sourcetype="slack:audit"
  (action="file_downloaded" OR action="search_performed" OR action="channel_joined"
   OR action="message_channel_export" OR action="user_channel_join")
)
| eval app_name=coalesce(Workload, "Slack")
| eval operation_name=coalesce(Operation, action)
| eval source_ip=coalesce(ClientIP, ip_address)
| eval user_id=coalesce(UserId, mvindex(split(actor, ":"), 1))
| eval is_export=if(match(lower(operation_name),
    "export|contentsearch|searchexported|viewedsearchexported|bulkdownload|searchcreated"), 1, 0)
| eval is_bulk_read=if(match(lower(operation_name),
    "messagelist|channellist|filelist|filedownload|search_performed"), 1, 0)
| bin _time span=1h
| stats
    count as EventCount,
    sum(is_export) as ExportEvents,
    sum(is_bulk_read) as BulkReadEvents,
    dc(operation_name) as UniqueOps,
    values(operation_name) as Operations,
    values(source_ip) as SourceIPs,
    earliest(_time) as FirstEvent,
    latest(_time) as LastEvent
    by user_id, app_name
| where EventCount > 50 OR ExportEvents >= 1
| eval RiskLevel=case(
    ExportEvents >= 1 AND EventCount > 100, "High",
    ExportEvents >= 1, "Medium",
    EventCount > 200, "Medium",
    BulkReadEvents > 50, "Medium",
    1=1, "Low"
)
| where RiskLevel IN ("High", "Medium")
| table FirstEvent, LastEvent, user_id, app_name, EventCount, ExportEvents, BulkReadEvents, UniqueOps, Operations, SourceIPs, RiskLevel
| sort - EventCount

high severity medium confidence

Data Sources

Application Log: Application Log Content Office 365 Management Activity API Slack Enterprise Grid Audit Logs

Required Sourcetypes

o365:management:activity slack:audit

False Positives

eDiscovery and legal compliance operations performing authorized content searches and exports from Teams via the Microsoft Purview compliance center
Security operations teams searching Slack or Teams to coordinate incident response, generating elevated message read volumes
Third-party backup and archival tools (e.g., AvePoint, Datto, Backupify) that systematically access all channels for backup purposes and will consistently trigger bulk thresholds
HR or legal personnel conducting authorized GDPR/CCPA data subject access requests that involve Teams message exports
Developers testing Slack or Teams bot integrations during development that generate high API call volumes

IBM QRadar (AQL)

sql

// T1213.005 - Messaging Application Data Mining
// Detects bulk/suspicious access to Teams, Slack, and Google Chat via QRadar normalized log sources
SELECT
  DATEFORMAT(MIN(starttime), 'YYYY-MM-dd HH:mm:ss') AS first_event,
  DATEFORMAT(MAX(starttime), 'YYYY-MM-dd HH:mm:ss') AS last_event,
  username,
  CATEGORYNAME(category) AS event_category,
  LOGSOURCENAME(logsourceid) AS log_source,
  COUNT(*) AS event_count,
  SUM(CASE WHEN LOWER(QIDNAME(qid)) LIKE '%export%'
           OR LOWER(QIDNAME(qid)) LIKE '%search%'
           OR LOWER(QIDNAME(qid)) LIKE '%contentsearch%'
           OR LOWER(QIDNAME(qid)) LIKE '%bulkdownload%' THEN 1 ELSE 0 END) AS export_events,
  SUM(CASE WHEN LOWER(QIDNAME(qid)) LIKE '%download%'
           OR LOWER(QIDNAME(qid)) LIKE '%fileaccess%'
           OR LOWER(QIDNAME(qid)) LIKE '%messageread%'
           OR LOWER(QIDNAME(qid)) LIKE '%channelread%' THEN 1 ELSE 0 END) AS bulk_read_events,
  ARRAY_AGG(DISTINCT sourceip) AS source_ips,
  ARRAY_AGG(DISTINCT QIDNAME(qid)) AS operations
FROM events
WHERE
  starttime >= NOW() - 86400
  AND (
    LOGSOURCETYPEID(logsourceid) IN (
      SELECT id FROM logsourcetypes WHERE name ILIKE '%Office 365%'
        OR name ILIKE '%Microsoft Teams%'
        OR name ILIKE '%Slack%'
        OR name ILIKE '%Google Workspace%'
        OR name ILIKE '%Google GSuite%'
    )
  )
  AND (
    LOWER(QIDNAME(qid)) LIKE '%teams%'
    OR LOWER(QIDNAME(qid)) LIKE '%slack%'
    OR LOWER(QIDNAME(qid)) LIKE '%chat%'
    OR LOWER(QIDNAME(qid)) LIKE '%message%'
    OR LOWER(QIDNAME(qid)) LIKE '%channel%'
    OR CATEGORYNAME(category) ILIKE '%messaging%'
    OR CATEGORYNAME(category) ILIKE '%collaboration%'
  )
GROUP BY
  username,
  CATEGORYNAME(category),
  LOGSOURCENAME(logsourceid),
  BUCKET(starttime, 3600)
HAVING
  event_count > 50
  OR export_events >= 1
ORDER BY event_count DESC

high severity medium confidence

Data Sources

IBM QRadar with Microsoft Office 365 DSM QRadar Slack Enterprise DSM QRadar Google Workspace (G Suite) DSM

Required Tables

events

False Positives

Authorized HR or legal personnel performing eDiscovery searches tied to employment investigations, which generate high export_events counts
Automated backup or archival bots with service accounts that continuously read and archive message history for compliance retention
Security Operations Center analysts using SIEM-integrated connectors that poll Teams/Slack APIs at high frequency for UEBA data collection

Sumo Logic CSE

sql

// T1213.005 - Messaging Application Data Mining
// Detects bulk or export-based access to Teams/Slack/Google Chat via Sumo Logic CSE and cloud audit indexes
(_sourceCategory="o365/audit" OR _sourceCategory="slack/audit" OR _sourceCategory="google/workspace/audit")
| json field=_raw "Workload" as workload nodrop
| json field=_raw "Operation" as operation nodrop
| json field=_raw "UserId" as user_id nodrop
| json field=_raw "ClientIP" as client_ip nodrop
| json field=_raw "action" as slack_action nodrop
| json field=_raw "actor" as slack_actor nodrop
| json field=_raw "ip_address" as slack_ip nodrop
| json field=_raw "email" as google_user nodrop
| json field=_raw "event_type" as google_event nodrop
// Normalize fields across sources
| eval app_name = if(!isNull(workload), workload,
    if(!isNull(slack_action), "Slack",
    if(!isNull(google_event), "GoogleChat", "Unknown")))
| eval op_name = if(!isNull(operation), operation,
    if(!isNull(slack_action), slack_action,
    if(!isNull(google_event), google_event, "unknown")))
| eval uid = if(!isNull(user_id), user_id,
    if(!isNull(slack_actor), slack_actor,
    if(!isNull(google_user), google_user, "unknown")))
| eval src_ip = if(!isNull(client_ip), client_ip,
    if(!isNull(slack_ip), slack_ip, "unknown"))
// Flag export and bulk read operations
| eval is_export = if(op_name matches /(?i)(export|contentsearch|searchexported|viewedsearchexported|bulkdownload|searchcreated)/, 1, 0)
| eval is_bulk_read = if(op_name matches /(?i)(messagelist|channellist|filelist|filedownload|messageread|channelread|search_performed|file_downloaded)/, 1, 0)
// Restrict to relevant apps
| where app_name in ("MicrosoftTeams", "SecurityComplianceCenter", "Slack", "GoogleChat", "Webex")
   OR op_name matches /(?i)(team|slack|chat|channel|message)/
// Time bucket aggregation (1-hour windows)
| timeslice 1h
| stats
    count as EventCount,
    sum(is_export) as ExportEvents,
    sum(is_bulk_read) as BulkReadEvents,
    dcount(op_name) as UniqueOps,
    values(op_name) as Operations,
    values(src_ip) as SourceIPs,
    min(_messageTime) as FirstEvent,
    max(_messageTime) as LastEvent
    by uid, app_name, _timeslice
| where EventCount > 50 or ExportEvents >= 1
| eval RiskLevel = if(ExportEvents >= 1 and EventCount > 100, "High",
    if(ExportEvents >= 1, "Medium",
    if(EventCount > 200, "Medium",
    if(BulkReadEvents > 50, "Medium", "Low"))))
| where RiskLevel in ("High", "Medium")
| fields FirstEvent, LastEvent, uid, app_name, EventCount, ExportEvents, BulkReadEvents, UniqueOps, Operations, SourceIPs, RiskLevel
| sort by EventCount desc

high severity medium confidence

Data Sources

Sumo Logic O365 Audit Log Source Sumo Logic Slack Audit Source (Enterprise Grid) Sumo Logic Google Workspace Source

Required Tables

o365/audit _sourceCategory slack/audit _sourceCategory google/workspace/audit _sourceCategory

False Positives

Compliance officers or counsel using the Microsoft Purview Content Search tool for legitimate regulatory or litigation hold activities, generating high ExportEvents counts
Automated Slack bots using the Conversations API to build search indexes, analytics dashboards, or compliance archives on behalf of the organization
IT migration tools or third-party SaaS backup vendors (e.g., Backupify, Avepoint) that systematically read all channels and messages as part of scheduled backup jobs

Google Chronicle / SecOps

yaral

rule t1213_005_messaging_app_data_mining {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects bulk or export-based data mining of messaging applications (Teams, Slack, Google Chat) indicating adversarial credential or sensitive data harvesting (T1213.005)"
    mitre_attack_tactic = "Collection"
    mitre_attack_technique = "T1213.005"
    severity = "HIGH"
    priority = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1213/005/"
    created = "2026-04-19"

  events:
    // Match cloud application audit events for messaging platforms
    $e.metadata.event_type = "USER_RESOURCE_ACCESS"
    $e.metadata.product_name in (
      "Microsoft Teams",
      "Microsoft Office 365",
      "Slack",
      "Google Chat",
      "Google Workspace",
      "Webex"
    )
    // Match bulk read, search, download, or export operations
    (
      $e.metadata.event_subtype in (
        "FileDownloaded", "FilePreviewed", "FileAccessed",
        "MessageRead", "ChannelRead", "SearchPerformed",
        "ItemShared", "file_downloaded", "search_performed",
        "channel_joined", "message_channel_export"
      )
      or re.regex(
        $e.network.application_protocol,
        `(?i)(export|contentsearch|searchexported|bulkdownload|searchcreated)`
      )
      or re.regex(
        $e.security_result.summary,
        `(?i)(export|content.search|bulk.download|search.created|edisc)`
      )
    )
    // Bind user principal
    $user = $e.principal.user.userid
    $app = $e.metadata.product_name
    $src_ip = $e.principal.ip

  match:
    $user, $app over 1h

  outcome:
    $event_count = count_distinct($e.metadata.id)
    $unique_ops = count_distinct($e.metadata.event_subtype)
    $unique_src_ips = count_distinct($e.principal.ip)
    $export_count = sum(
      if(
        re.regex($e.metadata.event_subtype, `(?i)(export|contentsearch|searchexported|bulkdownload|searchcreated)`),
        1, 0
      )
    )
    $risk_score = if($export_count >= 1 and $event_count > 100, 90,
      if($export_count >= 1, 70,
      if($event_count > 200, 65,
      if($event_count > 50, 50, 30))))

  condition:
    #e > 50 or $export_count >= 1
}

high severity medium confidence

Data Sources

Google Chronicle with Microsoft 365 log ingestion Chronicle Slack Enterprise log parser Chronicle Google Workspace ingestion (native) Chronicle UDM normalized cloud events

Required Tables

UDM events (USER_RESOURCE_ACCESS type)

False Positives

Paralegal or compliance staff running Microsoft Purview eDiscovery searches tied to legal holds, which will generate multiple export operation events in short succession
Slack workspace administrators using the Slack Export feature for GDPR or data portability compliance requests from employees
Security vendors or UEBA platforms that use service account API access to continuously ingest Teams/Slack messages for behavioral analysis baseline building

CrowdStrike LogScale (CQL)

cql

// T1213.005 - Messaging Application Data Mining
// Detects bulk or export-based access to Teams/Slack/Google Chat via CrowdStrike Falcon SIEM Connector and cloud audit event ingestion

// Primary detection: high-volume messaging app activity from cloud audit events
#event_simpleName = "OAuthAppActivity"
  OR #event_simpleName = "CloudAuditEvent"
  OR #event_simpleName = "SaaSApplicationActivity"
| appName = /(?i)(teams|slack|google.chat|webex|workplace)/
| operationType = /(?i)(filedownload|filepreviewed|fileaccessed|messageread|channelread|searchperformed|itemshared|file_downloaded|search_performed|channel_joined|message_channel_export|export|contentsearch|searchexported|bulkdownload|searchcreated)/
| timechart(span=1h) function=[count(aid, as=EventCount), count(distinct(operationType), as=UniqueOps), count(distinct(RemoteIP), as=UniqueIPs)] by UserPrincipalName, appName
| EventCount > 50 OR operationType = /(?i)(export|contentsearch|searchexported|bulkdownload|searchcreated)/
| eval ExportFlag = if(match(operationType, /(?i)(export|contentsearch|searchexported|bulkdownload|searchcreated)/), true, false)
| eval RiskLevel = case(
    ExportFlag == true AND EventCount > 100, "High",
    ExportFlag == true, "Medium",
    EventCount > 200, "Medium",
    EventCount > 50, "Low",
    true, "Informational"
  )
| RiskLevel IN ("High", "Medium")
| groupBy([UserPrincipalName, appName, RiskLevel], function=[
    count(aid, as=TotalEvents),
    collect(operationType, limit=10, as=OperationTypes),
    collect(RemoteIP, limit=5, as=SourceIPs),
    min(@timestamp, as=FirstSeen),
    max(@timestamp, as=LastSeen)
  ])
| sort(TotalEvents, order=desc)
| select([FirstSeen, LastSeen, UserPrincipalName, appName, TotalEvents, OperationTypes, SourceIPs, RiskLevel])

high severity medium confidence

Data Sources

CrowdStrike Falcon SIEM Connector with Microsoft 365 cloud audit events Falcon Identity Protection with Azure AD integration CrowdStrike Humio/LogScale with Slack Enterprise Grid audit log forwarding

Required Tables

OAuthAppActivity CloudAuditEvent SaaSApplicationActivity

False Positives

Red team or penetration testers with authorized access performing messaging app data collection exercises as part of a scoped engagement, which mimics Scattered Spider TTPs exactly
Internal audit teams using Power Automate or Graph API scripts to generate reports on Teams channel activity and message volumes for governance reviews
Third-party compliance platforms (e.g., Global Relay, Smarsh) that are given broad API access to continuously archive all Teams and Slack messages for regulatory recordkeeping

Last updated: 2026-04-19 Research depth: deep

References (11)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1213.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1213Data from Information Repositories

Related Sub-techniques

T1213.001Confluence T1213.002Sharepoint T1213.003Code Repositories T1213.004Customer Relationship Management Software T1213.006Databases

Messaging Applications

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Collection

Popular Detections