Description
Adversaries may leverage chat and messaging applications, such as Microsoft Teams, Google Chat, and Slack, to mine valuable information.
The following is a brief list of example information that may hold potential value to an adversary and may also be found on messaging applications:
Testing / development credentials (i.e., Chat Messages) Source code snippets Links to network shares and other internal resources Proprietary data(Citation: Guardian Grand Theft Auto Leak 2022) * Discussions about ongoing incident response efforts(Citation: SC Magazine Ragnar Locker 2021)(Citation: Microsoft DEV-0537)
In addition to exfiltrating data from messaging applications, adversaries may leverage data from chat messages in order to improve their targeting - for example, by learning more about an environment or evading ongoing incident response efforts.(Citation: Sentinel Labs NullBulge 2024)(Citation: Permiso Scattered Spider 2023)
Platforms
Mitigations (3)
User TrainingM1017
Develop and publish policies that define acceptable information to be posted in chat applications.
AuditM1047
Preemptively search through communication services to find inappropriately shared data, and take actions to reduce exposure when found.
Out-of-Band Communications ChannelM1060
Implement secure out-of-band communication channels to use as an alternative to in-network chat applications during a security incident. This ensures that critical communications remain secure even if primary messaging channels are compromised by adversaries.(Citation: TrustedSec OOB Communications)
Threat Groups (3)
| ID | Group | Context |
|---|---|---|
| G0117 | Fox Kitten | [Fox Kitten](https://attack.mitre.org/groups/G0117) has accessed victim security and IT environments and Microsoft Teams to mine valuable information.... |
| G1015 | Scattered Spider | [Scattered Spider](https://attack.mitre.org/groups/G1015) threat actors search the victim’s Slack and Microsoft Teams for conversations about the intr... |
| G1004 | LAPSUS$ | [LAPSUS$](https://attack.mitre.org/groups/G1004) has searched a victim's network for organization collaboration channels like MS Teams or Slack to dis... |
Associated Software (1)
| ID | Name | Type | Context |
|---|---|---|---|
| S9009 | TruffleHog | Tool | [TruffleHog](https://attack.mitre.org/software/S9009) has obtained data and credentials associated with messaging applications to include Slack.(Citat... |
References
- Jim Walter. (2024, July 16). NullBulge | Threat Actor Masquerades as Hacktivist Group Rebelling Against AI. Retrieved August 30, 2024.
- Ian Ahl. (2023, September 20). LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD. Retrieved September 25, 2023.
- Joe Uchill. (2021, December 3). Ragnar Locker reminds breach victims it can read the on-network incident response chat rooms. Retrieved August 30, 2024.
- Keza MacDonald, Keith Stuart and Alex Hern. (2022, September 19). Grand Theft Auto 6 leak: who hacked Rockstar and what was stolen?. Retrieved August 30, 2024.
- Microsoft. (2022, March 22). DEV-0537 criminal actor targeting organizations for data exfiltration and destruction. Retrieved March 23, 2022.
Frequently Asked Questions
What is T1213.005 (Messaging Applications)?
T1213.005 is a MITRE ATT&CK technique named 'Messaging Applications'. It belongs to the Collection tactic(s). Adversaries may leverage chat and messaging applications, such as Microsoft Teams, Google Chat, and Slack, to mine valuable information. The following is a brief list of example information that ma...
How can T1213.005 be detected?
Detection of T1213.005 (Messaging Applications) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1213.005?
There are 3 documented mitigations for T1213.005. Key mitigations include: User Training, Audit, Out-of-Band Communications Channel.
Which threat groups use T1213.005?
Known threat groups using T1213.005 include: Fox Kitten, Scattered Spider, LAPSUS$.