1. Home
  2. ATT&CK Techniques
  3. T1552
  4. T1552.008
Credential Access

T1552.008: Chat Messages

Adversaries may directly collect unsecured credentials stored or passed through user communication services. Credentials may be sent and stored in user chat communication applications such as email, c...

T1552.008 · Sub-technique ·2 platforms ·1 groups

Description

Adversaries may directly collect unsecured credentials stored or passed through user communication services. Credentials may be sent and stored in user chat communication applications such as email, chat services like Slack or Teams, collaboration tools like Jira or Trello, and any other services that support user communication. Users may share various forms of credentials (such as usernames and passwords, API keys, or authentication tokens) on private or public corporate internal communications channels.

Rather than accessing the stored chat logs (i.e., Credentials In Files), adversaries may directly access credentials within these services on the user endpoint, through servers hosting the services, or through administrator portals for cloud hosted services. Adversaries may also compromise integration tools like Slack Workflows to automatically search through messages to extract user credentials. These credentials may then be abused to perform follow-on activities such as lateral movement or privilege escalation (Citation: Slack Security Risks).

Platforms

SaaSOffice Suite

Mitigations (2)

AuditM1047

Preemptively search through communication services to find shared unsecured credentials. Searching for common patterns like "password is ", “password=” and take actions to reduce exposure when found.

User TrainingM1017

Ensure that developers and system administrators are aware of the risk associated with sharing unsecured passwords across communication services.

Threat Groups (1)

IDGroupContext
G1004LAPSUS$[LAPSUS$](https://attack.mitre.org/groups/G1004) has targeted various collaboration tools like Slack, Teams, JIRA, Confluence, and others to hunt for ...

References

Frequently Asked Questions

What is T1552.008 (Chat Messages)?

T1552.008 is a MITRE ATT&CK technique named 'Chat Messages'. It belongs to the Credential Access tactic(s). Adversaries may directly collect unsecured credentials stored or passed through user communication services. Credentials may be sent and stored in user chat communication applications such as email, c...

How can T1552.008 be detected?

Detection of T1552.008 (Chat Messages) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.

What mitigations exist for T1552.008?

There are 2 documented mitigations for T1552.008. Key mitigations include: Audit, User Training.

Which threat groups use T1552.008?

Known threat groups using T1552.008 include: LAPSUS$.