T1213.005: Messaging Applications

Messaging applications such as Teams, Google Chat, and Slack can become high-value information repositories, not just communication tools. If an adversary gains access, chat history may expose development credentials, source code snippets, links to internal resources, proprietary data, or live discussions about incident response. The business risk is that routine collaboration data can help an intruder steal information, improve targeting, or understand how defenders are responding.

Executive priority

Treat messaging platforms as part of the sensitive data and incident-response environment. Leaders should ask whether chat data is governed, audited, retained appropriately, and excluded from compromised-network communications during a security incident. This technique matters for resilience and audit readiness because the deciding controls are often basic but under-validated: SaaS audit logging, identity access review, secure out-of-band communications for incidents, and clear rules on sharing credentials or proprietary material in chat.

Technical view

This is a collection sub-technique under Data from Information Repositories for Office Suite and SaaS platforms. SOC and IR teams should validate visibility into messaging application access, searches, downloads/exports, message reads, file access, link access, external sharing, and administrative or API-based activity where available. Detection should align with DET0567, the related detection strategy for unauthorized collection from messaging applications in SaaS and Office environments. Because ATT&CK provides no official detection text for this object, local platform audit capabilities and identity context are critical.

Likely telemetry

SaaS and Office Suite audit logs for messaging platforms
User authentication and session activity, including unusual access patterns
Message, channel, workspace, or chat search activity where logged
File access, download, export, and sharing events associated with chat platforms
Administrative actions, application integrations, and API/token-based access events

Detection direction

Confirm that messaging platform audit logging is enabled and retained long enough for incident response and compliance needs.
Baseline normal user access, search, download, and sharing patterns so bulk or unusual collection can be reviewed without excessive false positives.
Correlate messaging activity with identity signals such as new sessions, anomalous locations, privilege changes, or suspicious OAuth/API use where those logs exist.
Tune detections for sensitive channels, incident-response rooms, engineering discussions, and locations where credentials or source code snippets are more likely to appear.
Review relationship context: ATT&CK links this technique to groups including Fox Kitten, LAPSUS$, and Scattered Spider, and to TruffleHog as software capable of discovering secrets across data sources; use this only as threat-informed context, not proof of local activity.

Mitigation priorities

Apply M1047 Audit: ensure messaging applications produce usable logs and that teams systematically review activity and configuration weaknesses.
Apply M1060 Out-of-Band Communications Channel: maintain a secure communication path for incident response that does not depend on potentially compromised primary chat systems.
Reduce sensitive material in chat by enforcing policy and review around credentials, proprietary data, source code snippets, internal links, and incident details.
Restrict access to sensitive channels and workspaces using least privilege and regular access reviews.
Validate retention, export, and external sharing settings against business, legal, and compliance requirements.

Analyst notes and limits

The key defensive question is whether the organization treats collaboration chat as a monitored information repository. For many environments, the largest blind spot is not lack of a detection rule but lack of reliable SaaS audit logs, unclear ownership of chat governance, and use of normal chat rooms during active incident response.

The supplied ATT&CK object has no official detection text. Platform-specific log fields, alert logic, and retention options vary by messaging provider and tenant configuration, so local evidence is required before assessing coverage or residual risk.

Official MITRE ATT&CK definition

Messaging Applications

Adversaries may leverage chat and messaging applications, such as Microsoft Teams, Google Chat, and Slack, to mine valuable information.

The following is a brief list of example information that may hold potential value to an adversary and may also be found on messaging applications:

* Testing / development credentials (i.e., Chat Messages) * Source code snippets * Links to network shares and other internal resources * Proprietary data[1] * Discussions about ongoing incident response efforts[2][3]

In addition to exfiltrating data from messaging applications, adversaries may leverage data from chat messages in order to improve their targeting - for example, by learning more about an environment or evading ongoing incident response efforts.[4][5]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 1 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1213	Data from Information Repositories	This object subtechnique of Data from Information Repositories.

Associated objects

Groups, software, and campaigns

G0117: Fox Kitten

Fox Kitten is threat actor with a suspected nexus to the Iranian government that has been active since at least 2017 against entities in the Middle East, North Africa, Europe, Australia, and North America. Fox Kitten has targeted multiple industrial verticals including oil and gas, technology, government, defense, healthcare, manufacturing, and engineering.[1][2][3][4]

G1015: Scattered Spider

Scattered Spider is a native English-speaking cybercriminal group active since at least 2022. [1] [2] The group initially targeted customer relationship management (CRM) providers, business process outsourcing (BPO) firms, and telecommunications and technology companies before expanding in 2023 to gaming, hospitality, retail, managed service provider (MSP), manufacturing, and financial sectors. [2] Scattered Spider relies heavily on social engineering, including impersonating IT and help-desk staff, to gain initial access, bypass multi-factor authentication (MFA), and compromise enterprise networks. The group has adapted its tooling to evade endpoint detection and response (EDR) defenses and used ransomware for financial gain. [3] [4] [5] Scattered Spider had expanded into hybrid cloud and identity environments, using help-desk impersonation and MFA bypass to obtain administrator access in Okta, AWS, and Office 365. [6]

G1004: LAPSUS$

LAPSUS$ is cyber criminal threat group that has been active since at least mid-2021. LAPSUS$ specializes in large-scale social engineering and extortion operations, including destructive attacks without the use of ransomware. The group has targeted organizations globally, including in the government, manufacturing, higher education, energy, healthcare, technology, telecommunications, and media sectors.[1][2][3]

S9009: TruffleHog

TruffleHog is an open-source secrets-discovery tool that is used to search for credentials, API keys, and encryption keys across a variety of data sources and environments.[1][2] TruffleHog has the ability to discover credentials and secrets stored in code repositories, git history, CI/CD pipelines, among other common storage locations to include filesystems and cloud storage buckets.[1][3][2] TruffleHog was first released by its author in 2016.[2]

IaaSLinuxSaaS

Relationship explorer

All related ATT&CK context

uses · Tool S9009: TruffleHog Enterprise mitigates · Mitigation M1017: User Training Enterprise mitigates · Mitigation M1047: Audit Enterprise uses · Group G0117: Fox Kitten Enterprise subtechnique of · Technique T1213: Data from Information Repositories Enterprise detects · Detection Strategy DET0567: Detecting Unauthorized Collection from Messaging Applications in SaaS and Office Environments Enterprise mitigates · Mitigation M1060: Out-of-Band Communications Channel Enterprise uses · Group G1015: Scattered Spider Enterprise uses · Group G1004: LAPSUS$ Enterprise

Mitigations

Mitigation direction

M1017: User Training

User Training involves educating employees and contractors on recognizing, reporting, and preventing cyber threats that rely on human interaction, such as phishing, social engineering, and other manipulative techniques. Comprehensive training programs create a human firewall by empowering users to be an active component of the organization's cybersecurity defenses. This mitigation can be implemented through the following measures:

Create Comprehensive Training Programs:

- Design training modules tailored to the organization's risk profile, covering topics such as phishing, password management, and incident reporting. - Provide role-specific training for high-risk employees, such as helpdesk staff or executives.

Use Simulated Exercises:

- Conduct phishing simulations to measure user susceptibility and provide targeted follow-up training. - Run social engineering drills to evaluate employee responses and reinforce protocols.

Leverage Gamification and Engagement:

- Introduce interactive learning methods such as quizzes, gamified challenges, and rewards for successful detection and reporting of threats.

Incorporate Security Policies into Onboarding:

- Include cybersecurity training as part of the onboarding process for new employees. - Provide easy-to-understand materials outlining acceptable use policies and reporting procedures.

Regular Refresher Courses:

- Update training materials to include emerging threats and techniques used by adversaries. - Ensure all employees complete periodic refresher courses to stay informed.

Emphasize Real-World Scenarios:

- Use case studies of recent attacks to demonstrate the consequences of successful phishing or social engineering. - Discuss how specific employee actions can prevent or mitigate such attacks.

M1047: Audit

Auditing is the process of recording activity and systematically reviewing and analyzing the activity and system configurations. The primary purpose of auditing is to detect anomalies and identify potential threats or weaknesses in the environment. Proper auditing configurations can also help to meet compliance requirements. The process of auditing encompasses regular analysis of user behaviors and system logs in support of proactive security measures.

Auditing is applicable to all systems used within an organization, from the front door of a building to accessing a file on a fileserver. It is considered more critical for regulated industries such as, healthcare, finance and government where compliance requirements demand stringent tracking of user and system activates.This mitigation can be implemented through the following measures:

System Audit:

- Use Case: Regularly assess system configurations to ensure compliance with organizational security policies. - Implementation: Use tools to scan for deviations from established benchmarks.

Permission Audits:

- Use Case: Review file and folder permissions to minimize the risk of unauthorized access or privilege escalation. - Implementation: Run access reviews to identify users or groups with excessive permissions.

Software Audits:

- Use Case: Identify outdated, unsupported, or insecure software that could serve as an attack vector. - Implementation: Use inventory and vulnerability scanning tools to detect outdated versions and recommend secure alternatives.

Configuration Audits:

- Use Case: Evaluate system and network configurations to ensure secure settings (e.g., disabled SMBv1, enabled MFA). - Implementation: Implement automated configuration scanning tools like SCAP (Security Content Automation Protocol) to identify non-compliant systems.

Network Audits:

- Use Case: Examine network traffic, firewall rules, and endpoint communications to identify unauthorized or insecure connections. - Implementation: Utilize tools such as Wireshark, or Zeek to monitor and log suspicious network behavior.

M1060: Out-of-Band Communications Channel

Establish secure out-of-band communication channels to ensure the continuity of critical communications during security incidents, data integrity attacks, or in-network communication failures. Out-of-band communication refers to using an alternative, separate communication path that is not dependent on the potentially compromised primary network infrastructure. This method can include secure messaging apps, encrypted phone lines, satellite communications, or dedicated emergency communication systems. Leveraging these alternative channels reduces the risk of adversaries intercepting, disrupting, or tampering with sensitive communications and helps coordinate an effective incident response.[1][2]

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Aug 30, 2024, 13:50 UTC (UTC+00:00)
Modified: May 12, 2026, 15:12 UTC (UTC+00:00)
Raw hash: 4a5aa779614bd4a6...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	May 12, 2026, 15:12 UTC (UTC+00:00)	Current bundle	`4a5aa779614b…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Guardian Grand Theft Auto Leak 2022

Keza MacDonald, Keith Stuart and Alex Hern. (2022, September 19). Grand Theft Auto 6 leak: who hacked Rockstar and what was stolen?. Retrieved August 30, 2024.
Open source URL
[2]
SC Magazine Ragnar Locker 2021

Joe Uchill. (2021, December 3). Ragnar Locker reminds breach victims it can read the on-network incident response chat rooms. Retrieved August 30, 2024.
Open source URL
[3]
Microsoft DEV-0537

Microsoft. (2022, March 22). DEV-0537 criminal actor targeting organizations for data exfiltration and destruction. Retrieved March 23, 2022.
Open source URL
[4]
Sentinel Labs NullBulge 2024

Jim Walter. (2024, July 16). NullBulge | Threat Actor Masquerades as Hacktivist Group Rebelling Against AI. Retrieved August 30, 2024.
Open source URL
[5]
Permiso Scattered Spider 2023

Ian Ahl. (2023, September 20). LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD. Retrieved September 25, 2023.
Open source URL
[6]
mitre-attack T1213.005
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams