Detect Messaging Applications in Elastic Security
Adversaries may leverage chat and messaging applications, such as Microsoft Teams, Slack, and Google Chat, to mine valuable information including credentials, API keys, source code snippets, internal resource links, and proprietary data. Threat actors including Scattered Spider, LAPSUS$, and Fox Kitten have deliberately searched victim messaging platforms for credentials shared informally in chat, internal tooling documentation, and active incident response communications. This technique is particularly dangerous because employees routinely share sensitive information in messaging apps with an expectation of privacy, and because bulk message access by a compromised account often appears indistinguishable from normal user activity without behavioral baselining.
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1213 Data from Information Repositories
- Sub-technique
- T1213.005 Messaging Applications
- Canonical reference
- https://attack.mitre.org/techniques/T1213/005/
Elastic Detection Query
// T1213.005 - Messaging Application Data Mining
// Detects bulk or suspicious access to Teams/Slack/Google Chat message content via ECS-normalized logs
sequence by user.name with maxspan=1h
[any where event.dataset in ("o365.audit", "google_workspace.admin", "slack.audit")
and (
(event.provider == "MicrosoftTeams" and event.action in ("MessageRead", "ChannelRead", "FileDownloaded", "FilePreviewed", "FileAccessed", "SearchCreated", "SearchExported", "ExportReport", "ContentSearch", "BulkDownload"))
or (event.provider == "Slack" and event.action in ("file_downloaded", "search_performed", "channel_joined", "message_channel_export", "user_channel_join"))
or (event.provider == "Google Chat" and event.action in ("download", "view", "export", "search"))
)
] with runs=50
// Supplemental: Hunting query for export/eDiscovery abuse
// any where event.dataset == "o365.audit"
// and event.provider in ("MicrosoftTeams", "SecurityComplianceCenter")
// and event.action in ("Export", "ContentSearch", "SearchExported", "ExportReport", "ViewedSearchExported", "BulkDownload", "SearchCreated")Detects bulk access to messaging application data (Microsoft Teams, Slack, Google Chat) via cloud audit logs. Uses ECS-normalized event fields from O365, Slack Enterprise Grid, and Google Workspace audit sources. Triggers on high-frequency read/download/search activity within a 1-hour window (50+ events by a single user), or any export/eDiscovery operation targeting Teams or compliance data.
Data Sources
Required Tables
False Positives & Tuning
- Legal and compliance teams running legitimate eDiscovery or content searches as part of authorized investigations or litigation hold workflows
- IT administrators bulk-migrating Teams or Slack data during platform consolidation, onboarding, or offboarding projects
- Security analysts conducting authorized internal investigations reviewing chat logs for incident response purposes
Other platforms for T1213.005
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Microsoft Teams Bulk Channel and Message Enumeration via PowerShell
Expected signal: OfficeActivity events with RecordType=MicrosoftTeams and Operations including TeamListed and ChannelListed. CloudAppEvents with AppName='Microsoft Teams' and multiple ActionType entries for channel read operations. Azure AD SigninLogs showing Teams PowerShell module authentication against graph.microsoft.com.
- Test 2Microsoft Graph API Teams Channel Message Retrieval
Expected signal: Azure AD AuditLogs with OperationName='Add delegated permission grant' for ChannelMessage.Read.All scope (from initial consent). Azure AD SigninLogs with ResourceDisplayName='Microsoft Graph' showing token issuance. CloudAppEvents (if MDCA connected) showing Teams API access attributed to the application or user. Network connections from the host to graph.microsoft.com.
- Test 3Slack API Bulk Channel Message Harvest
Expected signal: Slack Enterprise Grid audit logs showing actor performing search_performed, file_downloaded, and channel_joined actions. Network traffic logs showing HTTP GET requests to slack.com/api/conversations.list and slack.com/api/conversations.history at high frequency. Sysmon EventCode=1 for the curl or python3 processes. Large HTTP response bodies in proxy logs.
- Test 4Microsoft Purview Compliance Center Teams Content Search and Export
Expected signal: OfficeActivity events with RecordType=SecurityComplianceCenter and Operations: SearchCreated, SearchStarted, SearchCompleted, ExportReport, SearchExported. Azure AD SigninLogs for the compliance PowerShell session authentication. CloudAppEvents may attribute Teams data access to the compliance service principal during the search execution.
References (11)
- https://attack.mitre.org/techniques/T1213/005/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
- https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
- https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
- https://www.scmagazine.com/analysis/ragnar-locker-reminds-breach-victims-it-can-read-the-on-network-incident-response-chat-rooms
- https://www.sentinelone.com/labs/nullbulge-threat-actor-masquerades-as-hacktivist-group-rebelling-against-ai/
- https://learn.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance
- https://learn.microsoft.com/en-us/graph/api/channel-list-messages
- https://api.slack.com/enterprise/audit-logs
- https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-activities-api
- https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-cloudappevents-table
Unlock Pro Content
Get the full detection package for T1213.005 including response playbook, investigation guide, and atomic red team tests.