Detect Messaging Applications in Splunk
Adversaries may leverage chat and messaging applications, such as Microsoft Teams, Slack, and Google Chat, to mine valuable information including credentials, API keys, source code snippets, internal resource links, and proprietary data. Threat actors including Scattered Spider, LAPSUS$, and Fox Kitten have deliberately searched victim messaging platforms for credentials shared informally in chat, internal tooling documentation, and active incident response communications. This technique is particularly dangerous because employees routinely share sensitive information in messaging apps with an expectation of privacy, and because bulk message access by a compromised account often appears indistinguishable from normal user activity without behavioral baselining.
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1213 Data from Information Repositories
- Sub-technique
- T1213.005 Messaging Applications
- Canonical reference
- https://attack.mitre.org/techniques/T1213/005/
SPL Detection Query
// T1213.005 - Messaging Application Data Mining
// Detects bulk Teams/Slack data access via O365 Management Activity and Slack Enterprise audit logs
(
index=o365 sourcetype="o365:management:activity"
(Workload="MicrosoftTeams" OR Workload="SecurityComplianceCenter")
)
OR
(
index=slack_audit sourcetype="slack:audit"
(action="file_downloaded" OR action="search_performed" OR action="channel_joined"
OR action="message_channel_export" OR action="user_channel_join")
)
| eval app_name=coalesce(Workload, "Slack")
| eval operation_name=coalesce(Operation, action)
| eval source_ip=coalesce(ClientIP, ip_address)
| eval user_id=coalesce(UserId, mvindex(split(actor, ":"), 1))
| eval is_export=if(match(lower(operation_name),
"export|contentsearch|searchexported|viewedsearchexported|bulkdownload|searchcreated"), 1, 0)
| eval is_bulk_read=if(match(lower(operation_name),
"messagelist|channellist|filelist|filedownload|search_performed"), 1, 0)
| bin _time span=1h
| stats
count as EventCount,
sum(is_export) as ExportEvents,
sum(is_bulk_read) as BulkReadEvents,
dc(operation_name) as UniqueOps,
values(operation_name) as Operations,
values(source_ip) as SourceIPs,
earliest(_time) as FirstEvent,
latest(_time) as LastEvent
by user_id, app_name
| where EventCount > 50 OR ExportEvents >= 1
| eval RiskLevel=case(
ExportEvents >= 1 AND EventCount > 100, "High",
ExportEvents >= 1, "Medium",
EventCount > 200, "Medium",
BulkReadEvents > 50, "Medium",
1=1, "Low"
)
| where RiskLevel IN ("High", "Medium")
| table FirstEvent, LastEvent, user_id, app_name, EventCount, ExportEvents, BulkReadEvents, UniqueOps, Operations, SourceIPs, RiskLevel
| sort - EventCountDetects messaging application data mining by analyzing Office 365 Management Activity logs for Microsoft Teams/SharePoint and Slack Enterprise Grid audit events. Identifies high event volumes per user per hour and specifically flags export and content search operations which indicate adversaries extracting bulk message data. The query normalizes fields across both log sources and assigns risk levels based on export activity and overall event volume. Requires the Splunk Add-on for Microsoft Office 365 (for o365:management:activity) and Slack Enterprise Grid audit log ingestion (for slack:audit).
Data Sources
Required Sourcetypes
False Positives & Tuning
- eDiscovery and legal compliance operations performing authorized content searches and exports from Teams via the Microsoft Purview compliance center
- Security operations teams searching Slack or Teams to coordinate incident response, generating elevated message read volumes
- Third-party backup and archival tools (e.g., AvePoint, Datto, Backupify) that systematically access all channels for backup purposes and will consistently trigger bulk thresholds
- HR or legal personnel conducting authorized GDPR/CCPA data subject access requests that involve Teams message exports
- Developers testing Slack or Teams bot integrations during development that generate high API call volumes
Other platforms for T1213.005
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Microsoft Teams Bulk Channel and Message Enumeration via PowerShell
Expected signal: OfficeActivity events with RecordType=MicrosoftTeams and Operations including TeamListed and ChannelListed. CloudAppEvents with AppName='Microsoft Teams' and multiple ActionType entries for channel read operations. Azure AD SigninLogs showing Teams PowerShell module authentication against graph.microsoft.com.
- Test 2Microsoft Graph API Teams Channel Message Retrieval
Expected signal: Azure AD AuditLogs with OperationName='Add delegated permission grant' for ChannelMessage.Read.All scope (from initial consent). Azure AD SigninLogs with ResourceDisplayName='Microsoft Graph' showing token issuance. CloudAppEvents (if MDCA connected) showing Teams API access attributed to the application or user. Network connections from the host to graph.microsoft.com.
- Test 3Slack API Bulk Channel Message Harvest
Expected signal: Slack Enterprise Grid audit logs showing actor performing search_performed, file_downloaded, and channel_joined actions. Network traffic logs showing HTTP GET requests to slack.com/api/conversations.list and slack.com/api/conversations.history at high frequency. Sysmon EventCode=1 for the curl or python3 processes. Large HTTP response bodies in proxy logs.
- Test 4Microsoft Purview Compliance Center Teams Content Search and Export
Expected signal: OfficeActivity events with RecordType=SecurityComplianceCenter and Operations: SearchCreated, SearchStarted, SearchCompleted, ExportReport, SearchExported. Azure AD SigninLogs for the compliance PowerShell session authentication. CloudAppEvents may attribute Teams data access to the compliance service principal during the search execution.
References (11)
- https://attack.mitre.org/techniques/T1213/005/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
- https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
- https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
- https://www.scmagazine.com/analysis/ragnar-locker-reminds-breach-victims-it-can-read-the-on-network-incident-response-chat-rooms
- https://www.sentinelone.com/labs/nullbulge-threat-actor-masquerades-as-hacktivist-group-rebelling-against-ai/
- https://learn.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance
- https://learn.microsoft.com/en-us/graph/api/channel-list-messages
- https://api.slack.com/enterprise/audit-logs
- https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-activities-api
- https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-cloudappevents-table
Unlock Pro Content
Get the full detection package for T1213.005 including response playbook, investigation guide, and atomic red team tests.