Detect Messaging Applications in Sumo Logic CSE
Adversaries may leverage chat and messaging applications, such as Microsoft Teams, Slack, and Google Chat, to mine valuable information including credentials, API keys, source code snippets, internal resource links, and proprietary data. Threat actors including Scattered Spider, LAPSUS$, and Fox Kitten have deliberately searched victim messaging platforms for credentials shared informally in chat, internal tooling documentation, and active incident response communications. This technique is particularly dangerous because employees routinely share sensitive information in messaging apps with an expectation of privacy, and because bulk message access by a compromised account often appears indistinguishable from normal user activity without behavioral baselining.
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1213 Data from Information Repositories
- Sub-technique
- T1213.005 Messaging Applications
- Canonical reference
- https://attack.mitre.org/techniques/T1213/005/
Sumo Detection Query
// T1213.005 - Messaging Application Data Mining
// Detects bulk or export-based access to Teams/Slack/Google Chat via Sumo Logic CSE and cloud audit indexes
(_sourceCategory="o365/audit" OR _sourceCategory="slack/audit" OR _sourceCategory="google/workspace/audit")
| json field=_raw "Workload" as workload nodrop
| json field=_raw "Operation" as operation nodrop
| json field=_raw "UserId" as user_id nodrop
| json field=_raw "ClientIP" as client_ip nodrop
| json field=_raw "action" as slack_action nodrop
| json field=_raw "actor" as slack_actor nodrop
| json field=_raw "ip_address" as slack_ip nodrop
| json field=_raw "email" as google_user nodrop
| json field=_raw "event_type" as google_event nodrop
// Normalize fields across sources
| eval app_name = if(!isNull(workload), workload,
if(!isNull(slack_action), "Slack",
if(!isNull(google_event), "GoogleChat", "Unknown")))
| eval op_name = if(!isNull(operation), operation,
if(!isNull(slack_action), slack_action,
if(!isNull(google_event), google_event, "unknown")))
| eval uid = if(!isNull(user_id), user_id,
if(!isNull(slack_actor), slack_actor,
if(!isNull(google_user), google_user, "unknown")))
| eval src_ip = if(!isNull(client_ip), client_ip,
if(!isNull(slack_ip), slack_ip, "unknown"))
// Flag export and bulk read operations
| eval is_export = if(op_name matches /(?i)(export|contentsearch|searchexported|viewedsearchexported|bulkdownload|searchcreated)/, 1, 0)
| eval is_bulk_read = if(op_name matches /(?i)(messagelist|channellist|filelist|filedownload|messageread|channelread|search_performed|file_downloaded)/, 1, 0)
// Restrict to relevant apps
| where app_name in ("MicrosoftTeams", "SecurityComplianceCenter", "Slack", "GoogleChat", "Webex")
OR op_name matches /(?i)(team|slack|chat|channel|message)/
// Time bucket aggregation (1-hour windows)
| timeslice 1h
| stats
count as EventCount,
sum(is_export) as ExportEvents,
sum(is_bulk_read) as BulkReadEvents,
dcount(op_name) as UniqueOps,
values(op_name) as Operations,
values(src_ip) as SourceIPs,
min(_messageTime) as FirstEvent,
max(_messageTime) as LastEvent
by uid, app_name, _timeslice
| where EventCount > 50 or ExportEvents >= 1
| eval RiskLevel = if(ExportEvents >= 1 and EventCount > 100, "High",
if(ExportEvents >= 1, "Medium",
if(EventCount > 200, "Medium",
if(BulkReadEvents > 50, "Medium", "Low"))))
| where RiskLevel in ("High", "Medium")
| fields FirstEvent, LastEvent, uid, app_name, EventCount, ExportEvents, BulkReadEvents, UniqueOps, Operations, SourceIPs, RiskLevel
| sort by EventCount descDetects bulk message data access and export operations across Microsoft Teams, Slack, and Google Chat using Sumo Logic Cloud SIEM with normalized cloud audit log ingestion. Aggregates hourly activity per user and surfaces accounts with high-volume reads (>50 events) or any compliance export/content search operations. Risk scoring distinguishes high-confidence export abuse from volumetric bulk read anomalies.
Data Sources
Required Tables
False Positives & Tuning
- Compliance officers or counsel using the Microsoft Purview Content Search tool for legitimate regulatory or litigation hold activities, generating high ExportEvents counts
- Automated Slack bots using the Conversations API to build search indexes, analytics dashboards, or compliance archives on behalf of the organization
- IT migration tools or third-party SaaS backup vendors (e.g., Backupify, Avepoint) that systematically read all channels and messages as part of scheduled backup jobs
Other platforms for T1213.005
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Microsoft Teams Bulk Channel and Message Enumeration via PowerShell
Expected signal: OfficeActivity events with RecordType=MicrosoftTeams and Operations including TeamListed and ChannelListed. CloudAppEvents with AppName='Microsoft Teams' and multiple ActionType entries for channel read operations. Azure AD SigninLogs showing Teams PowerShell module authentication against graph.microsoft.com.
- Test 2Microsoft Graph API Teams Channel Message Retrieval
Expected signal: Azure AD AuditLogs with OperationName='Add delegated permission grant' for ChannelMessage.Read.All scope (from initial consent). Azure AD SigninLogs with ResourceDisplayName='Microsoft Graph' showing token issuance. CloudAppEvents (if MDCA connected) showing Teams API access attributed to the application or user. Network connections from the host to graph.microsoft.com.
- Test 3Slack API Bulk Channel Message Harvest
Expected signal: Slack Enterprise Grid audit logs showing actor performing search_performed, file_downloaded, and channel_joined actions. Network traffic logs showing HTTP GET requests to slack.com/api/conversations.list and slack.com/api/conversations.history at high frequency. Sysmon EventCode=1 for the curl or python3 processes. Large HTTP response bodies in proxy logs.
- Test 4Microsoft Purview Compliance Center Teams Content Search and Export
Expected signal: OfficeActivity events with RecordType=SecurityComplianceCenter and Operations: SearchCreated, SearchStarted, SearchCompleted, ExportReport, SearchExported. Azure AD SigninLogs for the compliance PowerShell session authentication. CloudAppEvents may attribute Teams data access to the compliance service principal during the search execution.
References (11)
- https://attack.mitre.org/techniques/T1213/005/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
- https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
- https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
- https://www.scmagazine.com/analysis/ragnar-locker-reminds-breach-victims-it-can-read-the-on-network-incident-response-chat-rooms
- https://www.sentinelone.com/labs/nullbulge-threat-actor-masquerades-as-hacktivist-group-rebelling-against-ai/
- https://learn.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance
- https://learn.microsoft.com/en-us/graph/api/channel-list-messages
- https://api.slack.com/enterprise/audit-logs
- https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-activities-api
- https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-cloudappevents-table
Unlock Pro Content
Get the full detection package for T1213.005 including response playbook, investigation guide, and atomic red team tests.