Suspicious file accessed or uploaded to Slack
Description
AlphaSOC detected suspicious file access or upload activity in Slack. This detection identifies files that match known suspicious patterns in both file extensions and filenames, or files explicitly marked as suspicious by Slack. Threat actors often use Slack as an initial access vector by sharing malicious files through the platform to compromise systems and gain unauthorized access. Open-source and known legitimate filenames are exempt from the detection to avoid false positives.
Impact
If not addressed, suspicious files shared through Slack can deliver malware, steal credentials, or establish command and control channels. This can lead to data theft, system compromise, or broader network access for threat actors.
Severity
| Severity | Condition |
|---|---|
Medium | Suspicious file accessed or uploaded to Slack |
Investigation and Remediation
Review Slack audit logs to identify the user who shared the file and any recipients who accessed it. Analyze the file in a secure environment to determine if it contains malicious content. If malicious activity is confirmed, remove the file from Slack, reset affected user credentials, and scan potentially compromised systems.