T1552.008: Chat Messages
Adversaries may directly collect unsecured credentials stored or passed through user communication services. Credentials may be sent and stored in user chat communication applications such as email, chat services like Slack or Teams, collaboration tools like Jira or Trello, and any other services that support user communication. Users may share various forms of credentials (such as usernames and passwords, API keys, or authentication tokens) on private or public corporate internal communications channels.
Rather than accessing the stored chat logs (i.e., Credentials In Files), adversaries may directly access credentials within these services on the user endpoint, through servers hosting the services, or through administrator portals for cloud hosted services. Adversaries may also compromise integration tools like Slack Workflows to automatically search through messages to extract user credentials. These credentials may then be abused to perform follow-on activities such as lateral movement or privilege escalation [1].
Analyst context for executives and security teams
Chat Messages (T1552.008) matters because business communication tools can become an informal credential store. If users paste passwords, API keys, tokens, or other secrets into SaaS chat, office, or collaboration services, an adversary with access to an endpoint, service backend, admin portal, or compromised workflow/integration may be able to collect those credentials and use them for follow-on access.
Executive priority
Treat this as an identity, SaaS governance, and audit-readiness issue—not just a user behavior problem. Leaders should ask whether the organization can prove that secrets are not routinely shared in chat channels, whether chat and collaboration platforms are audited, and whether security teams can investigate exposed credentials quickly enough to reduce lateral movement or privilege escalation risk. The relationship to User Training and Audit makes this a practical control-prioritization area for compliance evidence and incident response readiness.
Technical view
This is a credential-access sub-technique under Unsecured Credentials and applies to SaaS and Office Suite platforms. SOC, detection engineering, and IR teams should validate whether they can identify credentials shared in communication services such as chat, email, Jira/Trello-style collaboration spaces, and workflow/integration content. Because ATT&CK provides no official detection text, local detection should be built around the related detection strategy DET0111: detecting unsecured credentials shared in chat messages. Teams should also account for access paths described by ATT&CK: user endpoints, servers hosting the service, cloud administrator portals, and compromised integrations such as Slack Workflows.
Likely telemetry
- SaaS chat and collaboration message audit logs where available
- Office suite and email audit events relevant to message access and search
- Cloud admin portal activity for communication platforms
- Endpoint evidence of local chat or collaboration client access
- Workflow, automation, and integration execution logs for chat platforms
Detection direction
- Validate whether DET0111-style detections exist for secrets in chat messages and collaboration content.
- Tune secret detection for common credential formats such as passwords, API keys, and authentication tokens while managing false positives from examples, test data, and security training content.
- Check blind spots in private channels, direct messages, archived content, third-party collaboration tools, and workflow/integration outputs.
- Correlate exposed-secret findings with identity activity to determine whether credentials may have been abused for follow-on access.
- Confirm whether audit retention and search permissions are sufficient for incident response without assuming every SaaS platform exposes the same telemetry.
Mitigation priorities
- Prioritize user training that explicitly discourages sharing passwords, API keys, and tokens in chat or collaboration tools.
- Implement and regularly review auditing for communication and collaboration services, including admin access and workflow/integration activity.
- Establish an operational process to revoke or rotate credentials found in messages.
- Reduce reliance on shared static secrets where possible through approved identity and access management practices.
- Use audit results to demonstrate compliance readiness and to identify teams or workflows that need targeted remediation.
Analyst notes and limits
ATT&CK identifies this as a credential-access behavior and notes that LAPSUS$ uses this technique. That relationship should inform threat-informed validation, but it should not be interpreted as evidence of current targeting or exposure in any specific environment. The most important local question is whether chat and collaboration systems are governed as sensitive credential repositories when users misuse them that way.
The official ATT&CK object does not provide detection guidance, and the relationship context only names DET0111 without detailed logic. Platform scope is limited to SaaS and Office Suite in the supplied fields. Specific products, log schemas, detection rules, and exposure levels require environment-specific validation.
Chat Messages
Adversaries may directly collect unsecured credentials stored or passed through user communication services. Credentials may be sent and stored in user chat communication applications such as email, chat services like Slack or Teams, collaboration tools like Jira or Trello, and any other services that support user communication. Users may share various forms of credentials (such as usernames and passwords, API keys, or authentication tokens) on private or public corporate internal communications channels.
Rather than accessing the stored chat logs (i.e., Credentials In Files), adversaries may directly access credentials within these services on the user endpoint, through servers hosting the services, or through administrator portals for cloud hosted services. Adversaries may also compromise integration tools like Slack Workflows to automatically search through messages to extract user credentials. These credentials may then be abused to perform follow-on activities such as lateral movement or privilege escalation [1].
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1552 | Unsecured Credentials | This object subtechnique of Unsecured Credentials. |
Groups, software, and campaigns
G1004: LAPSUS$
LAPSUS$ is cyber criminal threat group that has been active since at least mid-2021. LAPSUS$ specializes in large-scale social engineering and extortion operations, including destructive attacks without the use of ransomware. The group has targeted organizations globally, including in the government, manufacturing, higher education, energy, healthcare, technology, telecommunications, and media sectors.[1][2][3]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 0c537fc1d5ce… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Slack Security Risks
Michael Osakwe. (2020, November 18). 4 SaaS and Slack Security Risks to Consider. Retrieved March 17, 2023.
Open source URL -
[2]
mitre-attack T1552.008Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.