Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1565: Analytic 1565

Atypical access to Slack or Teams conversations via APIs, automation tokens, or bulk message export functionality, particularly after an account takeover or rare sign-in pattern. Often includes mass retrieval of chat history, download of message content, or scraping of workspace/channel metadata.

EnterpriseAN1565AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic focuses on unusual API, automation-token, or bulk-export access to Slack or Microsoft Teams conversations. For leaders, the business issue is that collaboration platforms often contain sensitive operational, customer, legal, engineering, and incident-response context. If an account takeover or rare sign-in is followed by large-scale chat retrieval, the exposure may extend well beyond email or file repositories.

Executive priority

Prioritize this as a cloud/SaaS monitoring and incident-readiness question: do you have enough identity, SaaS audit, and export telemetry to determine whether collaboration data was accessed at scale after suspicious sign-in activity? This matters for breach scoping, regulatory evidence, insider-risk review, executive communications, and continuity planning because chat systems frequently contain decisions and data that are not governed like formal document stores.

Technical view

SOC and IR teams should validate whether Slack or Teams audit sources can show API access, automation token usage, bulk message export activity, mass chat-history retrieval, message-content downloads, and workspace or channel metadata scraping. Because the supplied object has no ATT&CK tactic and no official detection logic, implementation should be based on local baselines: rare users, rare applications/tokens, unusual volumes, abnormal timing, new source locations, and correlation with account takeover or rare sign-in indicators.

Likely telemetry

  • Slack or Teams audit logs for API activity and message export events
  • Identity provider sign-in logs, including rare sign-ins and account takeover indicators
  • OAuth application, automation token, or bot token activity records
  • SaaS admin logs for workspace, channel, and export configuration access
  • Data access volume metrics for message retrieval, downloads, or metadata enumeration

Detection direction

  • Baseline normal Slack or Teams API and export behavior by user, role, application, token, workspace, and channel.
  • Alert on mass retrieval of chat history, message-content downloads, or workspace/channel metadata access when paired with rare sign-in, impossible travel, new device, or other account-risk signals.
  • Tune for legitimate administrative, compliance, eDiscovery, backup, and integration activity to reduce false positives.
  • Review automation tokens and API clients separately from interactive user activity; SaaS abuse may not look like traditional endpoint malware.
  • Confirm log retention is long enough to support incident scoping after delayed discovery.

Mitigation priorities

  • Enforce strong identity controls for SaaS access, including MFA and conditional access where available.
  • Restrict and periodically review API permissions, automation tokens, bot accounts, and export-capable roles.
  • Limit bulk export privileges to approved administrative or compliance workflows with documented approvals.
  • Maintain SaaS audit logging and retention sufficient for incident response and compliance evidence.
  • Prepare IR playbooks for collaboration-platform exposure review, including token revocation, session invalidation, user review, and data-access scoping.
Analyst notes and limits

The object is a detection analytic for SaaS platforms and specifically describes atypical access to Slack or Teams conversations through APIs, automation tokens, or bulk export functionality, especially following account takeover or rare sign-in patterns. No ATT&CK relationships, tactics, aliases, or official detection pseudocode were supplied, so this take emphasizes validation questions and telemetry coverage rather than a specific rule.

This assessment is constrained to the supplied ATT&CK fields and external reference. It does not establish that this behavior is currently occurring, tied to a specific threat actor, or detectable in every environment. Local SaaS licensing, audit-log availability, retention, identity-provider integration, and approved compliance export workflows will determine practical coverage.

Official MITRE ATT&CK definition

Analytic 1565

Atypical access to Slack or Teams conversations via APIs, automation tokens, or bulk message export functionality, particularly after an account takeover or rare sign-in pattern. Often includes mass retrieval of chat history, download of message content, or scraping of workspace/channel metadata.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
d3b91eaa88889449...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle d3b91eaa8888…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1565
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use