title: Messaging Applications (T1213.005)
id: df00tech-t1213-005
status: experimental
description: "Adversaries may leverage chat and messaging applications, such as Microsoft Teams, Slack, and Google Chat, to mine valuable information including credentials, API keys, source code snippets, internal resource links, and proprietary data. Threat actors including Scattered Spider, LAPSUS$, and Fox Kitten have deliberately searched victim messaging platforms for credentials shared informally in chat, internal tooling documentation, and active incident response communications. This technique is particularly dangerous because employees routinely share sensitive information in messaging apps with an expectation of privacy, and because bulk message access by a compromised account often appears indistinguishable from normal user activity without behavioral baselining."
references:
  - https://attack.mitre.org/techniques/T1213/005/
  - https://df00tech.com/detections/T1213.005
author: df00tech
date: 2026/04/19
tags:
  - attack.t1213.005
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - eDiscovery and compliance officers performing legitimate legal holds or audit-required content searches against Teams data — these accounts will consistently trigger the compliance export branch
  - Security operations analysts searching Teams or Slack for evidence during an authorized internal investigation or incident response engagement
  - "Third-party backup and archival solutions (e.g., AvePoint, Skykick, Backupify, Datto SaaS) that systematically access all channels and generate high-volume access events"
  - HR or legal personnel conducting authorized data subject access requests (DSARs) under GDPR or CCPA requirements
  - Automated monitoring bots or compliance integrations that continuously read message channels to enforce retention or DLP policies
level: high