Skip to main content

Slack API calls by a malicious caller

ID:slack_malicious_caller
Data type:Slack
Severity:
Medium
MITRE ATT&CK:TA0001:T1078.004

Description

AlphaSOC detected actions by a likely malicious caller in Slack. This finding indicates possible use of file sharing capabilities to distribute malware, phishing links, or access through the Tor network. Adversaries may leverage Slack's communication features to target users and deliver malicious content while potentially hiding their identity through anonymization networks.

Impact

Threat actors can compromise user credentials, distribute malware, and gain unauthorized access to sensitive company data through Slack. Using Tor for access can help adversaries evade detection and maintain persistent access to company resources while hiding their true location and identity.

Severity

SeverityCondition
Medium
Suspicious Slack activity with potential malware distribution or Tor usage

Investigation and Remediation

Review Slack audit logs to identify the caller's activities, shared files, and contacted users. Block suspicious links and remove confirmed malicious files. Reset credentials for any potentially compromised accounts. Implement additional authentication controls and restrict file sharing permissions. Block Tor exit nodes from accessing Slack through your organization's network.