Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0310: Analytic 0310

Detection monitors SaaS collaboration tools (e.g., Slack, Zoom, Jira) for messages or files containing credential-like patterns, or for suspicious API calls retrieving bulk chat histories by non-admin users. Identifies adversary behavior chains where chat logs are queried via APIs or integration bots to systematically extract sensitive material.

EnterpriseAN0310AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because SaaS collaboration tools often become informal knowledge bases where credentials, tokens, configuration details, and incident context may be shared. The supplied ATT&CK object focuses on monitoring tools such as Slack, Zoom, and Jira for credential-like content and suspicious bulk retrieval of chat history by non-admin users. For leaders, the decision point is whether collaboration platforms are treated as security-relevant data stores, not just productivity tools.

Executive priority

Prioritize this as a SaaS data exposure and incident-readiness issue. If sensitive material exists in chat or ticketing history, adversaries or misused integrations may be able to retrieve it at scale. Executives should ask whether collaboration platforms are covered by logging, access review, retention policy, DLP-style monitoring, and incident response playbooks. This also supports compliance evidence by showing whether the organization can detect inappropriate access to sensitive communications and files.

Technical view

SOC and detection teams should validate whether SaaS audit logs, API activity, file/message inspection events, and integration bot activity are available for collaboration platforms. The analytic is most relevant to SaaS environments and looks for two broad conditions: credential-like patterns in messages or files, and suspicious API calls that retrieve bulk chat histories by non-admin users. IR teams should be prepared to scope which users, bots, integrations, channels, files, and time ranges were accessed if such behavior is observed.

Likely telemetry

  • SaaS audit logs from collaboration platforms such as Slack, Zoom, or Jira where available
  • API request logs showing chat history, message, file, or export retrieval activity
  • User identity and role context, especially admin versus non-admin status
  • Integration bot and application activity logs
  • Message and file content inspection or DLP-style findings for credential-like patterns

Detection direction

  • Confirm that logging captures API-based bulk retrieval of chat histories, not only interactive user logins.
  • Baseline expected administrative exports, eDiscovery workflows, compliance archiving, search indexing, and approved integration bot behavior to reduce false positives.
  • Tune for non-admin users or integrations retrieving unusually large volumes of messages, files, channels, or historical content.
  • Validate whether credential-like pattern detection is enabled for collaboration messages and uploaded files, while accounting for test data, code snippets, and legitimate operational runbooks.
  • Correlate SaaS API activity with identity context and integration ownership so alerts identify whether the actor is a human user, approved app, or bot.

Mitigation priorities

  • Reduce sensitive material in collaboration tools through policy, user guidance, and secret-handling procedures.
  • Review SaaS roles, app permissions, bot scopes, and integration ownership to limit unnecessary access to historical messages and files.
  • Enable and retain SaaS audit logs sufficient for investigation of chat history and file retrieval activity.
  • Use DLP or content inspection capabilities where appropriate to identify credential-like material in messages and files.
  • Establish incident response procedures for suspected SaaS collaboration data exposure, including token rotation, app disablement, user review, and scoping of accessed content.
Analyst notes and limits

The supplied object is a detection analytic, not a technique or malware description. It provides a SaaS platform scope and a concise description of the behavior, but no tactic, relationship context, or official detection logic. The most useful defensive interpretation is to treat collaboration SaaS as a high-value evidence and exposure surface requiring telemetry, access governance, and response planning.

No official detection field, tactics, relationships, procedures, or adversary examples were supplied. This take does not claim active exploitation, attribution, impact, or guaranteed detection coverage. Local platform capabilities, licensing, retention, privacy constraints, and integration architecture will determine what can actually be monitored.

Official MITRE ATT&CK definition

Analytic 0310

Detection monitors SaaS collaboration tools (e.g., Slack, Zoom, Jira) for messages or files containing credential-like patterns, or for suspicious API calls retrieving bulk chat histories by non-admin users. Identifies adversary behavior chains where chat logs are queried via APIs or integration bots to systematically extract sensitive material.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
d3934780a4614abe...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle d3934780a461…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0310
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use