T1213.005 IBM QRadar · QRadar

Detect Messaging Applications in IBM QRadar

Adversaries may leverage chat and messaging applications, such as Microsoft Teams, Slack, and Google Chat, to mine valuable information including credentials, API keys, source code snippets, internal resource links, and proprietary data. Threat actors including Scattered Spider, LAPSUS$, and Fox Kitten have deliberately searched victim messaging platforms for credentials shared informally in chat, internal tooling documentation, and active incident response communications. This technique is particularly dangerous because employees routinely share sensitive information in messaging apps with an expectation of privacy, and because bulk message access by a compromised account often appears indistinguishable from normal user activity without behavioral baselining.

MITRE ATT&CK

Tactic
Collection
Technique
T1213 Data from Information Repositories
Sub-technique
T1213.005 Messaging Applications
Canonical reference
https://attack.mitre.org/techniques/T1213/005/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
// T1213.005 - Messaging Application Data Mining
// Detects bulk/suspicious access to Teams, Slack, and Google Chat via QRadar normalized log sources
SELECT
  DATEFORMAT(MIN(starttime), 'YYYY-MM-dd HH:mm:ss') AS first_event,
  DATEFORMAT(MAX(starttime), 'YYYY-MM-dd HH:mm:ss') AS last_event,
  username,
  CATEGORYNAME(category) AS event_category,
  LOGSOURCENAME(logsourceid) AS log_source,
  COUNT(*) AS event_count,
  SUM(CASE WHEN LOWER(QIDNAME(qid)) LIKE '%export%'
           OR LOWER(QIDNAME(qid)) LIKE '%search%'
           OR LOWER(QIDNAME(qid)) LIKE '%contentsearch%'
           OR LOWER(QIDNAME(qid)) LIKE '%bulkdownload%' THEN 1 ELSE 0 END) AS export_events,
  SUM(CASE WHEN LOWER(QIDNAME(qid)) LIKE '%download%'
           OR LOWER(QIDNAME(qid)) LIKE '%fileaccess%'
           OR LOWER(QIDNAME(qid)) LIKE '%messageread%'
           OR LOWER(QIDNAME(qid)) LIKE '%channelread%' THEN 1 ELSE 0 END) AS bulk_read_events,
  ARRAY_AGG(DISTINCT sourceip) AS source_ips,
  ARRAY_AGG(DISTINCT QIDNAME(qid)) AS operations
FROM events
WHERE
  starttime >= NOW() - 86400
  AND (
    LOGSOURCETYPEID(logsourceid) IN (
      SELECT id FROM logsourcetypes WHERE name ILIKE '%Office 365%'
        OR name ILIKE '%Microsoft Teams%'
        OR name ILIKE '%Slack%'
        OR name ILIKE '%Google Workspace%'
        OR name ILIKE '%Google GSuite%'
    )
  )
  AND (
    LOWER(QIDNAME(qid)) LIKE '%teams%'
    OR LOWER(QIDNAME(qid)) LIKE '%slack%'
    OR LOWER(QIDNAME(qid)) LIKE '%chat%'
    OR LOWER(QIDNAME(qid)) LIKE '%message%'
    OR LOWER(QIDNAME(qid)) LIKE '%channel%'
    OR CATEGORYNAME(category) ILIKE '%messaging%'
    OR CATEGORYNAME(category) ILIKE '%collaboration%'
  )
GROUP BY
  username,
  CATEGORYNAME(category),
  LOGSOURCENAME(logsourceid),
  BUCKET(starttime, 3600)
HAVING
  event_count > 50
  OR export_events >= 1
ORDER BY event_count DESC
high severity medium confidence

Detects bulk messaging application data access or export operations via QRadar normalized events from O365, Slack Enterprise, and Google Workspace log sources. Aggregates per-user activity in hourly buckets and flags accounts with high event volume (>50 events/hour) or any export/eDiscovery operation against Teams, Slack, or Chat data. The export_events counter specifically surfaces compliance export, content search, and bulk download operations that are high-fidelity indicators of credential harvesting or data exfiltration.

Data Sources

IBM QRadar with Microsoft Office 365 DSMQRadar Slack Enterprise DSMQRadar Google Workspace (G Suite) DSM

Required Tables

events

False Positives & Tuning

  • Authorized HR or legal personnel performing eDiscovery searches tied to employment investigations, which generate high export_events counts
  • Automated backup or archival bots with service accounts that continuously read and archive message history for compliance retention
  • Security Operations Center analysts using SIEM-integrated connectors that poll Teams/Slack APIs at high frequency for UEBA data collection
Download portable Sigma rule (.yml)

Other platforms for T1213.005

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Microsoft Teams Bulk Channel and Message Enumeration via PowerShell

    Expected signal: OfficeActivity events with RecordType=MicrosoftTeams and Operations including TeamListed and ChannelListed. CloudAppEvents with AppName='Microsoft Teams' and multiple ActionType entries for channel read operations. Azure AD SigninLogs showing Teams PowerShell module authentication against graph.microsoft.com.

  2. Test 2Microsoft Graph API Teams Channel Message Retrieval

    Expected signal: Azure AD AuditLogs with OperationName='Add delegated permission grant' for ChannelMessage.Read.All scope (from initial consent). Azure AD SigninLogs with ResourceDisplayName='Microsoft Graph' showing token issuance. CloudAppEvents (if MDCA connected) showing Teams API access attributed to the application or user. Network connections from the host to graph.microsoft.com.

  3. Test 3Slack API Bulk Channel Message Harvest

    Expected signal: Slack Enterprise Grid audit logs showing actor performing search_performed, file_downloaded, and channel_joined actions. Network traffic logs showing HTTP GET requests to slack.com/api/conversations.list and slack.com/api/conversations.history at high frequency. Sysmon EventCode=1 for the curl or python3 processes. Large HTTP response bodies in proxy logs.

  4. Test 4Microsoft Purview Compliance Center Teams Content Search and Export

    Expected signal: OfficeActivity events with RecordType=SecurityComplianceCenter and Operations: SearchCreated, SearchStarted, SearchCompleted, ExportReport, SearchExported. Azure AD SigninLogs for the compliance PowerShell session authentication. CloudAppEvents may attribute Teams data access to the compliance service principal during the search execution.

Last updated: 2026-04-19 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1213.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1213Data from Information Repositories

Related Sub-techniques

T1213.001ConfluenceT1213.002SharepointT1213.003Code RepositoriesT1213.004Customer Relationship Management SoftwareT1213.006Databases

Related Techniques

T1213Data from Information RepositoriesT1213.002SharepointT1213.003Code RepositoriesT1114Email CollectionT1552.008Chat MessagesT1530Data from Cloud StorageT1078.004Cloud AccountsT1539Steal Web Session CookieT1528Steal Application Access TokenT1048Exfiltration Over Alternative Protocol

Same Tactic: Collection

Popular Detections