Detect Messaging Applications in Microsoft Sentinel
Adversaries may leverage chat and messaging applications, such as Microsoft Teams, Slack, and Google Chat, to mine valuable information including credentials, API keys, source code snippets, internal resource links, and proprietary data. Threat actors including Scattered Spider, LAPSUS$, and Fox Kitten have deliberately searched victim messaging platforms for credentials shared informally in chat, internal tooling documentation, and active incident response communications. This technique is particularly dangerous because employees routinely share sensitive information in messaging apps with an expectation of privacy, and because bulk message access by a compromised account often appears indistinguishable from normal user activity without behavioral baselining.
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1213 Data from Information Repositories
- Sub-technique
- T1213.005 Messaging Applications
- Canonical reference
- https://attack.mitre.org/techniques/T1213/005/
KQL Detection Query
// T1213.005 - Messaging Application Data Mining
// Detects bulk or suspicious access to Teams/Slack message content via MDCA and O365 audit logs
let LookbackPeriod = 24h;
let BulkEventThreshold = 100;
let SuspiciousExportOps = dynamic(["Export", "ContentSearch", "SearchExported", "ExportReport", "ViewedSearchExported", "BulkDownload", "SearchCreated"]);
// Branch 1: High-volume messaging app activity via Microsoft Defender for Cloud Apps
let CloudAppBulkAccess =
CloudAppEvents
| where Timestamp > ago(LookbackPeriod)
| where AppName has_any ("Microsoft Teams", "Slack", "Google Chat", "Webex", "Workplace from Meta")
| where ActionType in~ (
"FileDownloaded", "FilePreviewed", "FileAccessed",
"MessageRead", "ChannelRead",
"SearchPerformed", "ItemShared"
)
| summarize
EventCount = count(),
UniqueActions = dcount(ActionType),
Actions = make_set(ActionType, 10),
UniqueChannels = dcount(tostring(RawEventData.ChannelName)),
SourceIPs = make_set(IPAddress, 5),
FirstSeen = min(Timestamp),
LastSeen = max(Timestamp)
by AccountDisplayName, AccountObjectId, AppName
| where EventCount > BulkEventThreshold
| extend DetectionSource = "CloudAppEvents", RiskIndicator = "High-volume messaging app data access";
// Branch 2: Microsoft 365 compliance/eDiscovery export of Teams data
let TeamsComplianceExport =
OfficeActivity
| where TimeGenerated > ago(LookbackPeriod)
| where RecordType in ("MicrosoftTeams", "SecurityComplianceCenter")
| where Operation has_any (SuspiciousExportOps)
| summarize
EventCount = count(),
Operations = make_set(Operation, 10),
UniqueActions = dcount(Operation),
SourceIPs = make_set(ClientIP, 5),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by UserId, RecordType
| extend AccountDisplayName = UserId, AccountObjectId = "",
AppName = "Microsoft Teams (Compliance)",
Actions = Operations, UniqueChannels = 0,
DetectionSource = "OfficeActivity", RiskIndicator = "Teams compliance export/search operation";
// Combine results
union CloudAppBulkAccess, TeamsComplianceExport
| project FirstSeen, LastSeen, AccountDisplayName, AppName, SourceIPs,
EventCount, UniqueActions, Actions, DetectionSource, RiskIndicator
| sort by EventCount descDetects potential messaging application data mining by monitoring for bulk access patterns in Microsoft Teams, Slack, and Google Chat via Defender for Cloud Apps (CloudAppEvents) and Office 365 audit logs (OfficeActivity). Branch 1 identifies users generating unusually high event volumes across file download, search, and message read actions in messaging platforms. Branch 2 catches compliance center and eDiscovery export operations targeting Teams data, which adversaries with elevated privileges can leverage to extract large volumes of historical messages and files. Requires Microsoft Defender for Cloud Apps connected to Teams/Slack and Microsoft Sentinel ingesting OfficeActivity.
Data Sources
Required Tables
False Positives & Tuning
- eDiscovery and compliance officers performing legitimate legal holds or audit-required content searches against Teams data — these accounts will consistently trigger the compliance export branch
- Security operations analysts searching Teams or Slack for evidence during an authorized internal investigation or incident response engagement
- Third-party backup and archival solutions (e.g., AvePoint, Skykick, Backupify, Datto SaaS) that systematically access all channels and generate high-volume access events
- HR or legal personnel conducting authorized data subject access requests (DSARs) under GDPR or CCPA requirements
- Automated monitoring bots or compliance integrations that continuously read message channels to enforce retention or DLP policies
Other platforms for T1213.005
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Microsoft Teams Bulk Channel and Message Enumeration via PowerShell
Expected signal: OfficeActivity events with RecordType=MicrosoftTeams and Operations including TeamListed and ChannelListed. CloudAppEvents with AppName='Microsoft Teams' and multiple ActionType entries for channel read operations. Azure AD SigninLogs showing Teams PowerShell module authentication against graph.microsoft.com.
- Test 2Microsoft Graph API Teams Channel Message Retrieval
Expected signal: Azure AD AuditLogs with OperationName='Add delegated permission grant' for ChannelMessage.Read.All scope (from initial consent). Azure AD SigninLogs with ResourceDisplayName='Microsoft Graph' showing token issuance. CloudAppEvents (if MDCA connected) showing Teams API access attributed to the application or user. Network connections from the host to graph.microsoft.com.
- Test 3Slack API Bulk Channel Message Harvest
Expected signal: Slack Enterprise Grid audit logs showing actor performing search_performed, file_downloaded, and channel_joined actions. Network traffic logs showing HTTP GET requests to slack.com/api/conversations.list and slack.com/api/conversations.history at high frequency. Sysmon EventCode=1 for the curl or python3 processes. Large HTTP response bodies in proxy logs.
- Test 4Microsoft Purview Compliance Center Teams Content Search and Export
Expected signal: OfficeActivity events with RecordType=SecurityComplianceCenter and Operations: SearchCreated, SearchStarted, SearchCompleted, ExportReport, SearchExported. Azure AD SigninLogs for the compliance PowerShell session authentication. CloudAppEvents may attribute Teams data access to the compliance service principal during the search execution.
References (11)
- https://attack.mitre.org/techniques/T1213/005/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
- https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
- https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
- https://www.scmagazine.com/analysis/ragnar-locker-reminds-breach-victims-it-can-read-the-on-network-incident-response-chat-rooms
- https://www.sentinelone.com/labs/nullbulge-threat-actor-masquerades-as-hacktivist-group-rebelling-against-ai/
- https://learn.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance
- https://learn.microsoft.com/en-us/graph/api/channel-list-messages
- https://api.slack.com/enterprise/audit-logs
- https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-activities-api
- https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-cloudappevents-table
Unlock Pro Content
Get the full detection package for T1213.005 including response playbook, investigation guide, and atomic red team tests.