Detect Messaging Applications in Google Chronicle
Adversaries may leverage chat and messaging applications, such as Microsoft Teams, Slack, and Google Chat, to mine valuable information including credentials, API keys, source code snippets, internal resource links, and proprietary data. Threat actors including Scattered Spider, LAPSUS$, and Fox Kitten have deliberately searched victim messaging platforms for credentials shared informally in chat, internal tooling documentation, and active incident response communications. This technique is particularly dangerous because employees routinely share sensitive information in messaging apps with an expectation of privacy, and because bulk message access by a compromised account often appears indistinguishable from normal user activity without behavioral baselining.
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1213 Data from Information Repositories
- Sub-technique
- T1213.005 Messaging Applications
- Canonical reference
- https://attack.mitre.org/techniques/T1213/005/
YARA-L Detection Query
rule t1213_005_messaging_app_data_mining {
meta:
author = "Argus Detection Engineering"
description = "Detects bulk or export-based data mining of messaging applications (Teams, Slack, Google Chat) indicating adversarial credential or sensitive data harvesting (T1213.005)"
mitre_attack_tactic = "Collection"
mitre_attack_technique = "T1213.005"
severity = "HIGH"
priority = "HIGH"
reference = "https://attack.mitre.org/techniques/T1213/005/"
created = "2026-04-19"
events:
// Match cloud application audit events for messaging platforms
$e.metadata.event_type = "USER_RESOURCE_ACCESS"
$e.metadata.product_name in (
"Microsoft Teams",
"Microsoft Office 365",
"Slack",
"Google Chat",
"Google Workspace",
"Webex"
)
// Match bulk read, search, download, or export operations
(
$e.metadata.event_subtype in (
"FileDownloaded", "FilePreviewed", "FileAccessed",
"MessageRead", "ChannelRead", "SearchPerformed",
"ItemShared", "file_downloaded", "search_performed",
"channel_joined", "message_channel_export"
)
or re.regex(
$e.network.application_protocol,
`(?i)(export|contentsearch|searchexported|bulkdownload|searchcreated)`
)
or re.regex(
$e.security_result.summary,
`(?i)(export|content.search|bulk.download|search.created|edisc)`
)
)
// Bind user principal
$user = $e.principal.user.userid
$app = $e.metadata.product_name
$src_ip = $e.principal.ip
match:
$user, $app over 1h
outcome:
$event_count = count_distinct($e.metadata.id)
$unique_ops = count_distinct($e.metadata.event_subtype)
$unique_src_ips = count_distinct($e.principal.ip)
$export_count = sum(
if(
re.regex($e.metadata.event_subtype, `(?i)(export|contentsearch|searchexported|bulkdownload|searchcreated)`),
1, 0
)
)
$risk_score = if($export_count >= 1 and $event_count > 100, 90,
if($export_count >= 1, 70,
if($event_count > 200, 65,
if($event_count > 50, 50, 30))))
condition:
#e > 50 or $export_count >= 1
}Chronicle YARA-L 2.0 rule detecting bulk messaging application data mining (T1213.005). Matches USER_RESOURCE_ACCESS events from Teams, Slack, Google Chat, and Webex product sources, correlating high-frequency read/search/download activity or any export operation within a 1-hour window per user per application. Risk scoring escalates based on export presence and total event volume.
Data Sources
Required Tables
False Positives & Tuning
- Paralegal or compliance staff running Microsoft Purview eDiscovery searches tied to legal holds, which will generate multiple export operation events in short succession
- Slack workspace administrators using the Slack Export feature for GDPR or data portability compliance requests from employees
- Security vendors or UEBA platforms that use service account API access to continuously ingest Teams/Slack messages for behavioral analysis baseline building
Other platforms for T1213.005
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Microsoft Teams Bulk Channel and Message Enumeration via PowerShell
Expected signal: OfficeActivity events with RecordType=MicrosoftTeams and Operations including TeamListed and ChannelListed. CloudAppEvents with AppName='Microsoft Teams' and multiple ActionType entries for channel read operations. Azure AD SigninLogs showing Teams PowerShell module authentication against graph.microsoft.com.
- Test 2Microsoft Graph API Teams Channel Message Retrieval
Expected signal: Azure AD AuditLogs with OperationName='Add delegated permission grant' for ChannelMessage.Read.All scope (from initial consent). Azure AD SigninLogs with ResourceDisplayName='Microsoft Graph' showing token issuance. CloudAppEvents (if MDCA connected) showing Teams API access attributed to the application or user. Network connections from the host to graph.microsoft.com.
- Test 3Slack API Bulk Channel Message Harvest
Expected signal: Slack Enterprise Grid audit logs showing actor performing search_performed, file_downloaded, and channel_joined actions. Network traffic logs showing HTTP GET requests to slack.com/api/conversations.list and slack.com/api/conversations.history at high frequency. Sysmon EventCode=1 for the curl or python3 processes. Large HTTP response bodies in proxy logs.
- Test 4Microsoft Purview Compliance Center Teams Content Search and Export
Expected signal: OfficeActivity events with RecordType=SecurityComplianceCenter and Operations: SearchCreated, SearchStarted, SearchCompleted, ExportReport, SearchExported. Azure AD SigninLogs for the compliance PowerShell session authentication. CloudAppEvents may attribute Teams data access to the compliance service principal during the search execution.
References (11)
- https://attack.mitre.org/techniques/T1213/005/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
- https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
- https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
- https://www.scmagazine.com/analysis/ragnar-locker-reminds-breach-victims-it-can-read-the-on-network-incident-response-chat-rooms
- https://www.sentinelone.com/labs/nullbulge-threat-actor-masquerades-as-hacktivist-group-rebelling-against-ai/
- https://learn.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance
- https://learn.microsoft.com/en-us/graph/api/channel-list-messages
- https://api.slack.com/enterprise/audit-logs
- https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-activities-api
- https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-cloudappevents-table
Unlock Pro Content
Get the full detection package for T1213.005 including response playbook, investigation guide, and atomic red team tests.