Don’t Get Caught Slacking: How Abnormal Protects Slack From Advanced Threats

We love Slack. If you are one of their 20 million active users, you probably love Slack too. While email is still the preferred communication method for most organizations, you can’t communicate as quickly as you can in Slack. You can’t solicit feedback and work asynchronously as effectively as you can in Slack. You can’t send a timely Avengers gif as quickly as you can in Slack.

With Slack, you level the corporate playing field and build working relationships. It makes work more engaging, makes work-from-home feel less agoraphobic, and unlocks productivity. Of course, this being an article about Slack security, we regret to inform you that threat actors also see chat platforms as prime targets.

Slack houses conversations across finance, product, executive leadership, and other critical parts of the business. Sensitive data comes up in public channel discussions. Through Slack Connect, vendors and partners can chat with you. And while your employees are well aware of the threats present in email thanks to security awareness training, they may not see Slack as a threat.

So what makes Slack such a security concern? Attackers are always looking for the easiest way to cash out, and as email security improves, they see Slack as an easy target. Sensitive conversations happen in Slack across multiple teams and multiple companies, and with limited native security measures, the tool is ripe for exploitation.

That’s not to say Slack is inherently an insecure platform. Communications are encrypted, and access controls can be configured. But there are still risks to your organization that go beyond message encryption.

Recent attacks started via Slack show how attackers are deploying email-like attack tactics to target these applications. And as they see more success, they’re more likely to continue. So let’s talk about the risks of Slack and what you can do to protect your organization.

It’s no secret that we’ve recently announced security solutions for Slack, but one question we get from some of our customers is “it sounds interesting, but how would attackers even target Slack?”

At first, it was a shock to get this question considering recent research from ESG found 89% of organizations report seeing at least one attack on collaboration apps, and 52% have dealt with a multi-channel attack that included both email and apps like Slack. But in that same study, only 1 in 10 organizations considered messaging apps their most vulnerable collaboration platform. Nearly half, though, considered email the most vulnerable, and of course…we protect that pretty well.

This discrepancy points to one of two potential issues: a lack of visibility or budget and resource constraints. Honestly, it probably stems from both. Customers have pointed out they simply do not have a significant amount of visibility into Slack activity. Like many other productivity platforms, security teams are often not the primary administrator. And why should they be? Unless you are a massive enterprise organization with a robust security team that can justify granular role assignments—and not many organizations can—there is a good chance there are more pressing priorities.

But recent attacks tell us otherwise.

September 21st, 2022. The Slack tenant at Rockstar Games was compromised when a user with stolen credentials accessed an internal Slack channel containing game data from the company’s unreleased flagship title: Grand Theft Auto 6.

And this was right on the heels of September 15th, 2022 when Uber announced a breach wherein an attacker compromised Uber’s Slack tenant and announced the data the attacker had stolen.

And for good measure, in June of 2021, a threat actor using purchased stolen session cookies accessed an active Slack session on EA Games’ Slack tenant before social engineering their way into the corporate network. They then sent a Slack message to IT asking to reset MFA for a soon-to-be-compromised user email account.

This is a new but a very real threat, whether an attacker is using Slack to move further into the organization, or as the initial entry point thanks to the unfortunate dark web availability of stolen session cookies.

Protecting Slack from cyberattacks requires a multi-step approach. There are three angles to consider when looking for threats in Slack:

• Has there been unusual authentication or session activity for any one user?

• Have any user privileges changed, such as a user elevated to Slack administrator ?

• Has a user or third-party collaborator with access to corporate Slack sent any suspicious or outright malicious messages?

All of these have varying levels of risk, of course, but understanding when these events occur is a critical step in preventing a catastrophic breach or further lateral movement by threat actors.

To address these three types of risk, Abnormal recently released a suite of email-like security products for Slack, encompassing messaging security, account takeover protection, and user posture management. These products use Abnormal’s advanced detection capabilities—informed by data ingested from Slack, from your corporate email platform, and even from Okta or Azure Active Directory—to detect threats and build comprehensive case files to support in-depth investigation.

For example, if a user initiates a Slack session in Okta from that user’s home office in Seattle, but 10 minutes later that user is also signing in from an office in Siberia, that could indicate a problem—and Abnormal will surface both of those events in the Account Takeover case file for that user. Beyond this, if the Siberian sign-in was associated with any known indicators of compromise, such as a malicious IP address, domain, or other identifier, security teams will be immediately notified of the activity through Email-Like Account Takeover Protection.

If that same user is suddenly a Super Admin for your organization’s Slack tenant, Email-Like Security Posture Management will notify Abnormal admins of the change and provide contextual insights and next step guides to take downstream corrective action.

After these proactive measures, what if that user sends a message with a malicious link, attempting to execute an internal Slack phishing campaign? Email-Like Messaging Security can detect that threat and immediately raise a red flag to Abnormal administrators. The product also monitors outside vendors with access to a workspace and notifies Abnormal admins when they are sending malicious links in Slack.

Helping organizations protect more and secure the future, begins by solving the visibility and resource gaps when it comes to detecting threats in Slack. With these new products, we are paving the way—ensuring that our customers stay protected from multi-channel and email-like attacks no matter where they initiate.

Interested in learning more about how Abnormal protects Slack?