Detect Messaging Applications in CrowdStrike LogScale
Adversaries may leverage chat and messaging applications, such as Microsoft Teams, Slack, and Google Chat, to mine valuable information including credentials, API keys, source code snippets, internal resource links, and proprietary data. Threat actors including Scattered Spider, LAPSUS$, and Fox Kitten have deliberately searched victim messaging platforms for credentials shared informally in chat, internal tooling documentation, and active incident response communications. This technique is particularly dangerous because employees routinely share sensitive information in messaging apps with an expectation of privacy, and because bulk message access by a compromised account often appears indistinguishable from normal user activity without behavioral baselining.
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1213 Data from Information Repositories
- Sub-technique
- T1213.005 Messaging Applications
- Canonical reference
- https://attack.mitre.org/techniques/T1213/005/
LogScale Detection Query
// T1213.005 - Messaging Application Data Mining
// Detects bulk or export-based access to Teams/Slack/Google Chat via CrowdStrike Falcon SIEM Connector and cloud audit event ingestion
// Primary detection: high-volume messaging app activity from cloud audit events
#event_simpleName = "OAuthAppActivity"
OR #event_simpleName = "CloudAuditEvent"
OR #event_simpleName = "SaaSApplicationActivity"
| appName = /(?i)(teams|slack|google.chat|webex|workplace)/
| operationType = /(?i)(filedownload|filepreviewed|fileaccessed|messageread|channelread|searchperformed|itemshared|file_downloaded|search_performed|channel_joined|message_channel_export|export|contentsearch|searchexported|bulkdownload|searchcreated)/
| timechart(span=1h) function=[count(aid, as=EventCount), count(distinct(operationType), as=UniqueOps), count(distinct(RemoteIP), as=UniqueIPs)] by UserPrincipalName, appName
| EventCount > 50 OR operationType = /(?i)(export|contentsearch|searchexported|bulkdownload|searchcreated)/
| eval ExportFlag = if(match(operationType, /(?i)(export|contentsearch|searchexported|bulkdownload|searchcreated)/), true, false)
| eval RiskLevel = case(
ExportFlag == true AND EventCount > 100, "High",
ExportFlag == true, "Medium",
EventCount > 200, "Medium",
EventCount > 50, "Low",
true, "Informational"
)
| RiskLevel IN ("High", "Medium")
| groupBy([UserPrincipalName, appName, RiskLevel], function=[
count(aid, as=TotalEvents),
collect(operationType, limit=10, as=OperationTypes),
collect(RemoteIP, limit=5, as=SourceIPs),
min(@timestamp, as=FirstSeen),
max(@timestamp, as=LastSeen)
])
| sort(TotalEvents, order=desc)
| select([FirstSeen, LastSeen, UserPrincipalName, appName, TotalEvents, OperationTypes, SourceIPs, RiskLevel])Detects bulk data mining of messaging applications (Teams, Slack, Google Chat) using CrowdStrike Falcon SIEM Connector with cloud audit event ingestion (OAuthAppActivity, CloudAuditEvent, SaaSApplicationActivity event types). Aggregates hourly activity per user per application and triggers on high event volume (>50) or any export/eDiscovery/bulk download operation. Particularly effective at catching Scattered Spider-style credential harvesting where attackers gain initial access and immediately search Teams for passwords, API keys, or internal tooling links.
Data Sources
Required Tables
False Positives & Tuning
- Red team or penetration testers with authorized access performing messaging app data collection exercises as part of a scoped engagement, which mimics Scattered Spider TTPs exactly
- Internal audit teams using Power Automate or Graph API scripts to generate reports on Teams channel activity and message volumes for governance reviews
- Third-party compliance platforms (e.g., Global Relay, Smarsh) that are given broad API access to continuously archive all Teams and Slack messages for regulatory recordkeeping
Other platforms for T1213.005
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Microsoft Teams Bulk Channel and Message Enumeration via PowerShell
Expected signal: OfficeActivity events with RecordType=MicrosoftTeams and Operations including TeamListed and ChannelListed. CloudAppEvents with AppName='Microsoft Teams' and multiple ActionType entries for channel read operations. Azure AD SigninLogs showing Teams PowerShell module authentication against graph.microsoft.com.
- Test 2Microsoft Graph API Teams Channel Message Retrieval
Expected signal: Azure AD AuditLogs with OperationName='Add delegated permission grant' for ChannelMessage.Read.All scope (from initial consent). Azure AD SigninLogs with ResourceDisplayName='Microsoft Graph' showing token issuance. CloudAppEvents (if MDCA connected) showing Teams API access attributed to the application or user. Network connections from the host to graph.microsoft.com.
- Test 3Slack API Bulk Channel Message Harvest
Expected signal: Slack Enterprise Grid audit logs showing actor performing search_performed, file_downloaded, and channel_joined actions. Network traffic logs showing HTTP GET requests to slack.com/api/conversations.list and slack.com/api/conversations.history at high frequency. Sysmon EventCode=1 for the curl or python3 processes. Large HTTP response bodies in proxy logs.
- Test 4Microsoft Purview Compliance Center Teams Content Search and Export
Expected signal: OfficeActivity events with RecordType=SecurityComplianceCenter and Operations: SearchCreated, SearchStarted, SearchCompleted, ExportReport, SearchExported. Azure AD SigninLogs for the compliance PowerShell session authentication. CloudAppEvents may attribute Teams data access to the compliance service principal during the search execution.
References (11)
- https://attack.mitre.org/techniques/T1213/005/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
- https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
- https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
- https://www.scmagazine.com/analysis/ragnar-locker-reminds-breach-victims-it-can-read-the-on-network-incident-response-chat-rooms
- https://www.sentinelone.com/labs/nullbulge-threat-actor-masquerades-as-hacktivist-group-rebelling-against-ai/
- https://learn.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance
- https://learn.microsoft.com/en-us/graph/api/channel-list-messages
- https://api.slack.com/enterprise/audit-logs
- https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-activities-api
- https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-cloudappevents-table
Unlock Pro Content
Get the full detection package for T1213.005 including response playbook, investigation guide, and atomic red team tests.