Several unsuccessful Slack login attempts indicating brute force activity
Description
AlphaSOC detected multiple failed login attempts within a short period of time into the Slack platform, indicating potential brute force activity. Adversaries use automated tools to systematically perform credential testing and gain unauthorized access to cloud services or enterprise environments.
Impact
Successful brute force attacks may lead to unauthorized access of Slack channels, direct messages, and files. Compromised accounts allow threat actors to access sensitive company communications and harvest employee information. Adversaries can download shared files, send malicious content to other users, and compromise connected third-party applications.
Severity
| Severity | Condition |
|---|---|
Medium | Multiple unsuccessful Slack login attempts within a short time frame |
Investigation and Remediation
Review Slack audit logs to identify the source IP addresses and targeted accounts. Enable multi-factor authentication for all users if not already implemented. Reset passwords for affected accounts and investigate any successful logins from suspicious IP addresses. Check for unauthorized workspace invites or channel creation. Audit third-party app integrations for suspicious changes.