T1213.005SubTechniquecollection

T1213.005Messaging Applications

Sub-technique of T1213

Platforms: Office Suite · SaaS

ATT&CK version: v19.1

What it is

Adversaries may leverage chat and messaging applications, such as Microsoft Teams, Google Chat, and Slack, to mine valuable information. The following is a brief list of example information that may hold potential value to an adversary and may also be found on messaging applications: * Testing / development credentials (i.e., [Chat Messages](https://attack.mitre.org/techniques/T1552/008)) * Source code snippets * Links to network shares and other internal resources * Proprietary data(Citation: Guardian Grand Theft Auto Leak 2022) * Discussions about ongoing incident response efforts(Citation: SC Magazine Ragnar Locker 2021)(Citation: Microsoft DEV-0537) In addition to exfiltrating data from messaging applications, adversaries may leverage data from chat messages in order to improve their targeting - for example, by learning more about an environment or evading ongoing incident response efforts.(Citation: Sentinel Labs NullBulge 2024)(Citation: Permiso Scattered Spider 2023)

ATT&CK tactics· 1

Collection

References

  1. https://attack.mitre.org/techniques/T1213/005
  2. https://www.sentinelone.com/labs/nullbulge-threat-actor-masquerades-as-hacktivist-group-rebelling-against-ai/
  3. https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
  4. https://www.scmagazine.com/analysis/ragnar-locker-reminds-breach-victims-it-can-read-the-on-network-incident-response-chat-rooms
  5. https://www.theguardian.com/games/2022/sep/19/grand-theft-auto-6-leak-who-hacked-rockstar-and-what-was-stolen
  6. https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.
T1213.005: Messaging Applications | SQUR Knowledge Base