Slack API calls by a malicious caller
Description
AlphaSOC detected actions by a likely malicious caller in Slack. This finding indicates possible use of file sharing capabilities to distribute malware, phishing links, or access through the Tor network. Adversaries may leverage Slack's communication features to target users and deliver malicious content while potentially hiding their identity through anonymization networks.
Impact
Threat actors can compromise user credentials, distribute malware, and gain unauthorized access to sensitive company data through Slack. Using Tor for access can help adversaries evade detection and maintain persistent access to company resources while hiding their true location and identity.
Severity
| Severity | Condition |
|---|---|
Medium | Suspicious Slack activity with potential malware distribution or Tor usage |
Investigation and Remediation
Review Slack audit logs to identify the caller's activities, shared files, and contacted users. Block suspicious links and remove confirmed malicious files. Reset credentials for any potentially compromised accounts. Implement additional authentication controls and restrict file sharing permissions. Block Tor exit nodes from accessing Slack through your organization's network.