Slack SSO restriction changed
Description
AlphaSOC detected changes to Slack single sign-on (SSO) restrictions. SSO enables users to access multiple applications with one set of login credentials, typically managed through a central identity provider. This modification may indicate attempts to bypass authentication controls or modify trusted identity providers used for Slack workspace access.
Impact
Changes to SSO configurations can allow unauthorized access to Slack workspaces, bypassing standard authentication requirements. Threat actors can gain persistent access to sensitive communications, files, and channels while evading detection through legitimate authentication flows.
Severity
| Severity | Condition |
|---|---|
Low | Slack SSO restriction changed |
Investigation and Remediation
Review Slack audit logs to identify the user who modified SSO settings and the specific changes made. Revert unauthorized changes and enforce proper SSO settings. Review user access during the period of modified SSO settings.