1. Home
  2. ATT&CK Techniques
  3. T1213.005 Messaging Applications

T1213.005 Messaging Applications

Adversaries may leverage chat and messaging applications, such as Microsoft Teams, Google Chat, and Slack, to mine valuable information.

The following is a brief list of example information that may hold potential value to an adversary and may also be found on messaging applications:

  • Testing / development credentials (i.e., Chat Messages)
  • Source code snippets
  • Links to network shares and other internal resources
  • Proprietary data(Citation: Guardian Grand Theft Auto Leak 2022)
  • Discussions about ongoing incident response efforts(Citation: SC Magazine Ragnar Locker 2021)(Citation: Microsoft DEV-0537)

In addition to exfiltrating data from messaging applications, adversaries may leverage data from chat messages in order to improve their targeting - for example, by learning more about an environment or evading ongoing incident response efforts.(Citation: Sentinel Labs NullBulge 2024)(Citation: Permiso Scattered Spider 2023)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.PS-01.01 Configuration baselines Mitigates T1213.005 Messaging Applications
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
    PR.PS-01.02 Least functionality Mitigates T1213.005 Messaging Applications
    Comments
    This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
    References

      NIST 800-53 Mappings

      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
      CA-07 Continuous Monitoring mitigates T1213.005 Messaging Applications
      CM-06 Configuration Settings mitigates T1213.005 Messaging Applications
      CM-05 Access Restrictions for Change mitigates T1213.005 Messaging Applications
      AC-17 Remote Access mitigates T1213.005 Messaging Applications
      IA-08 Identification and Authentication (Non-Organizational Users) mitigates T1213.005 Messaging Applications
      AC-21 Information Sharing mitigates T1213.005 Messaging Applications
      SC-37 Out-of-band Channels mitigates T1213.005 Messaging Applications
      AC-23 Data Mining Protection mitigates T1213.005 Messaging Applications
      IA-04 Identifier Management mitigates T1213.005 Messaging Applications
      SC-28 Protection of Information at Rest mitigates T1213.005 Messaging Applications
      SI-02 Flaw Remediation mitigates T1213.005 Messaging Applications
      RA-05 Vulnerability Monitoring and Scanning mitigates T1213.005 Messaging Applications
      CM-08 System Component Inventory mitigates T1213.005 Messaging Applications
      SI-07 Software, Firmware, and Information Integrity mitigates T1213.005 Messaging Applications
      AC-16 Security and Privacy Attributes mitigates T1213.005 Messaging Applications
      CM-02 Baseline Configuration mitigates T1213.005 Messaging Applications
      IA-02 Identification and Authentication (Organizational Users) mitigates T1213.005 Messaging Applications
      CM-07 Least Functionality mitigates T1213.005 Messaging Applications
      SI-04 System Monitoring mitigates T1213.005 Messaging Applications
      AC-02 Account Management mitigates T1213.005 Messaging Applications
      AC-03 Access Enforcement mitigates T1213.005 Messaging Applications
      AC-04 Information Flow Enforcement mitigates T1213.005 Messaging Applications
      AC-06 Least Privilege mitigates T1213.005 Messaging Applications
      CM-03 Configuration Change Control mitigates T1213.005 Messaging Applications

      VERIS Mappings

      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
      action.malware.variety.Export data Export data to another site or system related-to T1213.005 Messaging Applications
      attribute.confidentiality.data_disclosure None related-to T1213.005 Messaging Applications

      GCP Mappings

      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
      cloud_identity Cloud Identity technique_scores T1213.005 Messaging Applications
      Comments
      The access controls in Cloud Identity, such as MFA, can help to prevent an adversary from accessing internal software such as messaging tools, protecting customer data. However, if the adversary is able to access the system, Cloud Identity is not able to protect this data, leading to a score of partial.
      References
      1. ['https://cloud.google.com/identity']