title: Chat Messages (T1552.008)
id: df00tech-t1552-008
status: experimental
description: "Adversaries may directly collect unsecured credentials stored or passed through user communication services. Corporate chat tools including Slack, Microsoft Teams, Jira, Confluence, and email frequently contain credentials shared between employees — API keys, passwords, database connection strings, SSH keys, and authentication tokens. LAPSUS$ specifically targeted Slack, Teams, JIRA, and Confluence to hunt for exposed credentials supporting privilege escalation and lateral movement. Adversaries may access stored chat logs on endpoints, query chat APIs with compromised tokens, compromise Slack integrations/bots, or search through message history for sensitive content."
references:
  - https://attack.mitre.org/techniques/T1552/008/
  - https://df00tech.com/detections/T1552.008
author: df00tech
date: 2026/04/20
tags:
  - attack.t1552.008
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Backup agents reading chat application local storage as part of user data backup
  - Enterprise compliance and DLP tools scanning chat application data for sensitive information
  - IT support tools that access Teams/Slack logs for troubleshooting purposes
  - Browser extensions or third-party integrations that legitimately access Slack/Teams local storage
  - Automated testing frameworks that access chat application data during end-to-end testing
level: high