Slack login with unexpected user email

ID:slack_login_email_anomaly

Data type:Slack

Severity:

Medium

Description

AlphaSOC detected a login to Slack using an email address that has not been previously observed in the workspace. This may indicate the presence of an unauthorized user.

Impact

Unauthorized access to Slack can expose sensitive communications, files, and data shared within workspaces. Adversaries may exploit this to harvest information, distribute malicious content, or conduct social engineering attacks.

Severity

Severity	Condition
Medium	Login with unexpected user email into the Slack workspace

Investigation and Remediation

Review Slack audit logs to identify the source IP, device, and any actions taken by the account. Compare the login patterns with expected user behavior and authorized email domains. Force password resets for affected accounts, enable two-factor authentication, and review workspace permissions.

Known False Positives

Contractors or partners joining workspace with external emails

Description​

Impact​

Severity​

Investigation and Remediation​

Known False Positives​

Description

Impact

Severity

Investigation and Remediation

Known False Positives