[{"data":1,"prerenderedAt":3401},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":36,"navbar-about-highlight":108,"navbar-resource-highlight":182,"blog/slack-phishing-for-initial-access":226},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"query":14,"data":15,"variations":20,"lastUpdated":21,"firstPublished":22,"testRatio":23,"createdBy":24,"lastUpdatedBy":25,"folders":26,"meta":27,"rev":35},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner","1c6207a5f24948ab82d4a0b17f251193","published",[],{"type":16,"url":17,"text":18,"link":19},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,1,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2","jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":28,"lastPreviewUrl":29,"breakpoints":30,"hasAutosaves":34},"data","",{"xsmall":31,"small":32,"medium":33},320,640,768,true,"ga0kpxjhh76",{"createdDate":37,"id":38,"name":39,"modelId":40,"published":13,"stageModifiedSincePublish":6,"query":41,"data":42,"variations":97,"lastUpdated":98,"firstPublished":99,"testRatio":23,"createdBy":100,"lastUpdatedBy":101,"folders":102,"meta":103,"rev":107},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":43,"text":44,"url":29,"blocks":45,"state":93},"ewrererw","testrfesssssssssss",[46,73,81],{"@type":47,"@version":48,"id":49,"component":50,"responsiveStyles":63},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":51,"tag":51,"options":52,"isRSC":62},"TopBannerContent",{"text":53,"ctaText":54,"url":55,"mainText":56,"cta":59},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks","Save Your Spot","https://pushsecurity.com/webinar/state-of-browser-security",{"content":57,"fontSize":58},"\u003Cp>Meet Push's browser security experts at BlackHat 2026.\u003C/p>","text-base",{"content":60,"fontSize":58,"url":61},"\u003Cp>Book a meeting →\u003C/p>","https://pushsecurity.com/events/blackhat-2026-meeting",null,{"large":64},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"marginTop":70,"marginBottom":70,"fontSize":71,"fontWeight":72},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"@type":47,"@version":48,"id":74,"component":75,"responsiveStyles":79},"builder-a2e1f4b9f30b464bb814d7f5de5b0aa7",{"name":76,"options":77,"isRSC":62},"Custom Code",{"code":78,"scriptsClientOnly":6},"\u003Cstyle>\n  .top-banner.bg-web-orange{background:rgb(114, 79, 255);}\n\u003C/style>\n",{"large":80},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"id":82,"@type":47,"tagName":83,"properties":84,"responsiveStyles":88},"builder-pixel-o503s4fpvk","img",{"src":85,"aria-hidden":86,"alt":29,"role":87,"width":68,"height":68},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":89},{"height":68,"width":68,"display":90,"opacity":68,"overflow":91,"pointerEvents":92},"block","hidden","none",{"deviceSize":94,"location":95},"large",{"path":29,"query":96},{},{},1783541846936,1774968080803,"ST0tXQM8slWpFrmioqKHmENB2qe2","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"kind":104,"lastPreviewUrl":105,"hasLinks":6,"breakpoints":106,"hasErrors":6,"hasAutosaves":6},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},"kyujw1aptq",[109,145],{"createdDate":110,"id":111,"name":112,"modelId":113,"published":13,"stageModifiedSincePublish":6,"query":114,"data":115,"variations":138,"lastUpdated":139,"firstPublished":140,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":141,"meta":142,"rev":144},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":116,"type":117,"testimonialLink":118,"testimonial":119},{},"testimonial","/customer-stories/inductive-automation",{"@type":120,"id":121,"model":117,"value":122},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79",{"query":123,"folders":124,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":128,"variations":132,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":135,"rev":137},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":129,"jobTitle":130,"quote":126,"image":131},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,{"kind":28,"lastPreviewUrl":29,"breakpoints":136,"hasAutosaves":34},{"small":32,"medium":33},"e8bsg4qrgtu",{},1776247404986,1776247404973,[],{"breakpoints":143,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"g9lqcuxphw7",{"createdDate":146,"id":147,"name":148,"modelId":113,"published":13,"meta":149,"stageModifiedSincePublish":6,"query":151,"data":152,"variations":178,"lastUpdated":179,"firstPublished":180,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":181,"rev":144},1776255761419,"05a9322735fc427db12e2740e4302300","Report: 2026 Browser Attack Techniques",{"breakpoints":150,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":153,"link":172,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":155},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":156,"folders":157,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":160,"variations":166,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":169,"rev":171},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":28,"lastPreviewUrl":29,"breakpoints":170,"hasAutosaves":34},{"small":32,"medium":33},"ulhc0im1hfo",{"text":173,"url":174},"Download now","/resources/browser-attacks-report","resource","Learn about the latest techniques being used in the wild.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9",{},1776255810913,1776255810900,[],[183,205],{"createdDate":184,"id":185,"name":148,"modelId":186,"published":13,"meta":187,"stageModifiedSincePublish":6,"query":189,"data":190,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":203,"rev":204},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":188,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":191,"link":199,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":192},{"query":193,"folders":194,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":195,"variations":196,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":197,"rev":171},[],[],{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":198,"hasAutosaves":34},{"small":32,"medium":33},{"text":173,"url":174},{},1776256937553,1776256937540,[],"xggsv10v1q9",{"createdDate":206,"id":207,"name":208,"modelId":186,"published":13,"stageModifiedSincePublish":6,"query":209,"data":210,"variations":220,"lastUpdated":221,"firstPublished":222,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":223,"meta":224,"rev":204},1776256949234,"ce043785b71b4ece98eac811ecf4ba10","inductive-automation",[],{"link":211,"type":117,"testimonial":212,"testimonialLink":118},{},{"@type":120,"id":121,"model":117,"value":213},{"query":214,"folders":215,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":216,"variations":217,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":218,"rev":137},[],[],{"author":129,"jobTitle":130,"quote":126,"image":131},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":219,"hasAutosaves":34},{"small":32,"medium":33},{},1776256974140,1776256974130,[],{"breakpoints":225,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},{"id":227,"title":228,"authorsCollection":229,"content":237,"extension":1168,"faqItemsCollection":1169,"faqTitle":62,"featured":6,"hashTags":62,"meta":1171,"metaTitle":1172,"ogImage":62,"publishedDate":1173,"relatedBlogPostsCollection":1174,"slug":3378,"stem":3379,"subtitle":62,"summary":3380,"synopsis":3391,"sys":3392,"tagsCollection":3394,"__hash__":3400},"blog/blog/slack-phishing-for-initial-access.json","Slack Attack: A phisher's guide to initial access",{"items":230},[231],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":235},"Luke Jennings","Luke","Vice President, R&D",{"url":236},"https://images.ctfassets.net/y1cdw1ablpvd/4Hosb4zKi1dA0PUyDLMe1h/27e09d894861f2196ba794037986fb08/T016S22KZ96-U02NVQM7ZD4-57761d542d83-512.jpeg",{"json":238,"links":1029},{"data":239,"content":240,"nodeType":1028},{},[241,282,289,336,343,364,372,379,386,393,400,433,440,486,493,500,507,514,521,529,536,542,549,556,563,570,576,583,590,597,604,611,617,623,630,637,662,669,676,683,690,696,702,709,715,722,729,736,742,749,756,763,770,779,792,798,805,812,818,824,831,838,845,852,859,865,872,878,885,892,899,905,912,919,962,969,976,983,990,997,1016,1022],{"data":242,"content":243,"nodeType":281},{},[244,249,260,264,278],{"data":245,"marks":246,"value":247,"nodeType":248},{},[],"This is the third post in a series on attack chains formed by combining techniques in the ","text",{"data":250,"content":252,"nodeType":259},{"uri":251},"https://github.com/pushsecurity/saas-attacks",[253],{"data":254,"marks":255,"value":258,"nodeType":248},{},[256],{"type":257},"underline","SaaS attack matrix","hyperlink",{"data":261,"marks":262,"value":263,"nodeType":248},{},[],". Last post we wrote about ",{"data":265,"content":271,"nodeType":277},{"target":266},{"sys":267},{"id":268,"type":269,"linkType":270},"7ygI4NLJ2zpuiVwAlggkTG","Link","Entry",[272],{"data":273,"marks":274,"value":276,"nodeType":248},{},[275],{"type":257},"shadow workflows and evil twin integrations.","entry-hyperlink",{"data":279,"marks":280,"value":29,"nodeType":248},{},[],"paragraph",{"data":283,"content":284,"nodeType":281},{},[285],{"data":286,"marks":287,"value":288,"nodeType":248},{},[],"In this article, we’ll demonstrate how instant messaging applications are an increasingly attractive target for a range of phishing and social engineering attacks. We’ll use the following SaaS attack techniques chained together:",{"data":290,"content":291,"nodeType":335},{},[292,314],{"data":293,"content":294,"nodeType":313},{},[295],{"data":296,"content":297,"nodeType":281},{},[298,301,310],{"data":299,"marks":300,"value":29,"nodeType":248},{},[],{"data":302,"content":304,"nodeType":259},{"uri":303},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/im_phishing/description.md",[305],{"data":306,"marks":307,"value":309,"nodeType":248},{},[308],{"type":257},"SAT1018 - IM phishing",{"data":311,"marks":312,"value":29,"nodeType":248},{},[],"list-item",{"data":315,"content":316,"nodeType":313},{},[317],{"data":318,"content":319,"nodeType":281},{},[320,323,332],{"data":321,"marks":322,"value":29,"nodeType":248},{},[],{"data":324,"content":326,"nodeType":259},{"uri":325},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/im_user_spoofing/description.md",[327],{"data":328,"marks":329,"value":331,"nodeType":248},{},[330],{"type":257},"SAT1019 - IM user spoofing",{"data":333,"marks":334,"value":29,"nodeType":248},{},[],"unordered-list",{"data":337,"content":338,"nodeType":281},{},[339],{"data":340,"marks":341,"value":342,"nodeType":248},{},[],"We’ll use Slack as our primary example in this case and we’ll be primarily focused on external phishing as part of the initial access phase of the kill chain. ",{"data":344,"content":345,"nodeType":281},{},[346,350,360],{"data":347,"marks":348,"value":349,"nodeType":248},{},[],"In the ",{"data":351,"content":355,"nodeType":277},{"target":352},{"sys":353},{"id":354,"type":269,"linkType":270},"1hU7XNIizp4vQXsiiQmqvI",[356],{"data":357,"marks":358,"value":359,"nodeType":248},{},[],"companion article",{"data":361,"marks":362,"value":363,"nodeType":248},{},[],", we’ll look at how once an attacker has a foothold on Slack, new attack possibilities open up that allow for persistence and lateral movement to be achieved.",{"data":365,"content":366,"nodeType":371},{},[367],{"data":368,"marks":369,"value":370,"nodeType":248},{},[],"Why focus on instant messengers?","heading-1",{"data":373,"content":374,"nodeType":281},{},[375],{"data":376,"marks":377,"value":378,"nodeType":248},{},[],"They aren’t new, however, the original focus of IM apps was on internal communication and phishing and social engineering attacks are often external. Email remained the standards-based protocol that enabled external communication no matter what email vendor was in use. In recent years, however, instant messengers (IM) have become the primary method of communication for many businesses. I wanted to focus on IM here because if that’s where employees are communicating, it’s the best place to launch attacks against them. Even better, there’s a history of users placing a higher degree of trust in IM platforms than email, so it becomes a potentially easy target.",{"data":380,"content":381,"nodeType":281},{},[382],{"data":383,"marks":384,"value":385,"nodeType":248},{},[],"While IM platforms were initially used solely for internal communications, organizations quickly realized that IM platforms could be used to communicate with external groups, individuals, freelancers, and contractors, with the hope of fewer emails and more instant communications. ",{"data":387,"content":388,"nodeType":281},{},[389],{"data":390,"marks":391,"value":392,"nodeType":248},{},[],"We now have Slack Connect and Microsoft Teams external access to support this, with Slack Connect introduced in June 2020 and Teams introducing it in January 2022. This external access has increased the attack surface of these platforms considerably.",{"data":394,"content":395,"nodeType":281},{},[396],{"data":397,"marks":398,"value":399,"nodeType":248},{},[],"Despite decades of security research, email security appliances and user security training, email-based phishing and social engineering is still commonly successful. Now we have instant messenger platforms with:",{"data":401,"content":402,"nodeType":335},{},[403,413,423],{"data":404,"content":405,"nodeType":313},{},[406],{"data":407,"content":408,"nodeType":281},{},[409],{"data":410,"marks":411,"value":412,"nodeType":248},{},[],"Richer functionality than email, ",{"data":414,"content":415,"nodeType":313},{},[416],{"data":417,"content":418,"nodeType":281},{},[419],{"data":420,"marks":421,"value":422,"nodeType":248},{},[],"Lacking centralized security gateways and other security controls common to email and ",{"data":424,"content":425,"nodeType":313},{},[426],{"data":427,"content":428,"nodeType":281},{},[429],{"data":430,"marks":431,"value":432,"nodeType":248},{},[],"Unfamiliar as a threat vector to your average user compared with email. ",{"data":434,"content":435,"nodeType":281},{},[436],{"data":437,"marks":438,"value":439,"nodeType":248},{},[],"There’s also a sense of urgency associated with IM messages due to the conversational nature compared with emails. Combined with a history of increased trust, we have the ingredients for increased social engineering success.",{"data":441,"content":442,"nodeType":281},{},[443,447,456,460,469,473,482],{"data":444,"marks":445,"value":446,"nodeType":248},{},[],"There’s been an uptick recently in IM-based phishing research and real-world attacks, particularly for Microsoft Teams. For example, check out the ",{"data":448,"content":450,"nodeType":259},{"uri":449},"https://labs.jumpsec.com/advisory-idor-in-microsoft-teams-allows-for-external-tenants-to-introduce-malware/",[451],{"data":452,"marks":453,"value":455,"nodeType":248},{},[454],{"type":257},"great research from JumpSec",{"data":457,"marks":458,"value":459,"nodeType":248},{},[]," on bypassing attachment protection for external Teams messages, the offensive tool ",{"data":461,"content":463,"nodeType":259},{"uri":462},"https://github.com/Octoberfest7/TeamsPhisher",[464],{"data":465,"marks":466,"value":468,"nodeType":248},{},[467],{"type":257},"TeamsPhisher",{"data":470,"marks":471,"value":472,"nodeType":248},{},[]," and attacks distributing ",{"data":474,"content":476,"nodeType":259},{"uri":475},"https://www.bleepingcomputer.com/news/security/microsoft-teams-phishing-attack-pushes-darkgate-malware/",[477],{"data":478,"marks":479,"value":481,"nodeType":248},{},[480],{"type":257},"DarkGate malware via Teams",{"data":483,"marks":484,"value":485,"nodeType":248},{},[],".",{"data":487,"content":488,"nodeType":281},{},[489],{"data":490,"marks":491,"value":492,"nodeType":248},{},[],"However, in this article we’ll focus on a few techniques specific to Slack.",{"data":494,"content":498,"nodeType":499},{"target":495},{"sys":496},{"id":497,"type":269,"linkType":270},"6iKFd9Qys2SSuNqKVQB7ka",[],"embedded-entry-block",{"data":501,"content":502,"nodeType":371},{},[503],{"data":504,"marks":505,"value":506,"nodeType":248},{},[],"IM user spoofing",{"data":508,"content":509,"nodeType":281},{},[510],{"data":511,"marks":512,"value":513,"nodeType":248},{},[],"The first consideration is the spoofing aspect. We’ve all seen techniques for spoofing emails, but there are many security controls like Sender Policy Framework (SPF) that can prevent direct spoofing of domains and email security gateways that can flag suspicious domains.",{"data":515,"content":516,"nodeType":281},{},[517],{"data":518,"marks":519,"value":520,"nodeType":248},{},[],"Those security controls don’t exist for IM, so we have new options for spoofing.",{"data":522,"content":523,"nodeType":528},{},[524],{"data":525,"marks":526,"value":527,"nodeType":248},{},[],"External IM invites","heading-2",{"data":530,"content":531,"nodeType":281},{},[532],{"data":533,"marks":534,"value":535,"nodeType":248},{},[],"IM applications often make use of friendly display names for organization and employee names as well as user-chosen handles. These often don’t need to be unique either. Consider the following Slack Connect request:",{"data":537,"content":541,"nodeType":499},{"target":538},{"sys":539},{"id":540,"type":269,"linkType":270},"7MEljb1f6XzNRBEbOSsQXi",[],{"data":543,"content":544,"nodeType":281},{},[545],{"data":546,"marks":547,"value":548,"nodeType":248},{},[],"It’s not easy for a target user to tell if the user or organization requesting to connect is legitimate when they first receive this invitation. There’s also a curiosity incentive - you can’t see a first message from the user, so it’s tempting for the target user to accept in order to see the message, even if they then ignore it.",{"data":550,"content":551,"nodeType":281},{},[552],{"data":553,"marks":554,"value":555,"nodeType":248},{},[],"However, once an attacker has got a first connection, they have cleared the first hurdle. They can now launch attacks in future, not just attacks immediately following a successful connection, after the target user has forgotten they ever connected with the attacker (more on this later).",{"data":557,"content":558,"nodeType":528},{},[559],{"data":560,"marks":561,"value":562,"nodeType":248},{},[],"Spoofing an internal user",{"data":564,"content":565,"nodeType":281},{},[566],{"data":567,"marks":568,"value":569,"nodeType":248},{},[],"What’s more, there’s nothing stopping an external attacker from impersonating internal users/employees too. This is especially a concern if an attacker can social engineer their way into being invited into a channel.",{"data":571,"content":575,"nodeType":499},{"target":572},{"sys":573},{"id":574,"type":269,"linkType":270},"5TaP25v80xMkA5e33yFIfX",[],{"data":577,"content":578,"nodeType":281},{},[579],{"data":580,"marks":581,"value":582,"nodeType":248},{},[],"While this particular example is less likely to be successful in a small channel, it’s much more of a concern if they change their user identity to replicate an internal employee or teammate and then direct message a member of the channel. DMing an individual channel member doesn’t require a new Slack connect invite so it’s much easier for an unsuspecting target to fall victim to social engineering in this way. ",{"data":584,"content":585,"nodeType":528},{},[586],{"data":587,"marks":588,"value":589,"nodeType":248},{},[],"Chameleon attack",{"data":591,"content":592,"nodeType":281},{},[593],{"data":594,"marks":595,"value":596,"nodeType":248},{},[],"A particularly interesting external attack capability is that an attacker can act as a chameleon and change their identity over time. Let’s say an external attacker achieves a successful connection with a potential target as an external entity. Maybe they exchange some innocuous communications and then leave the conversation to die. Perhaps the target even has Slack message retention settings enabled that delete the chat history after 90 days.",{"data":598,"content":599,"nodeType":281},{},[600],{"data":601,"marks":602,"value":603,"nodeType":248},{},[],"The attacker bides their time and then in the future, they completely change their Slack identity to impersonate an internal user and message the target again. The connection is already present so the message will come through like any other message, only this time it will appear from a completely different identity. It’s quite possible that the target could be fooled into believing the message is from the internal user. ",{"data":605,"content":606,"nodeType":281},{},[607],{"data":608,"marks":609,"value":610,"nodeType":248},{},[],"This could be particularly dangerous in CEO fraud attacks. An attacker could forge connections with finance employees ahead of time for seemingly legitimate and innocuous means and then later use those to send Slack messages spoofing the CEO.",{"data":612,"content":616,"nodeType":499},{"target":613},{"sys":614},{"id":615,"type":269,"linkType":270},"51TYXiOwQw0D6BYCzu0em4",[],{"data":618,"content":622,"nodeType":499},{"target":619},{"sys":620},{"id":621,"type":269,"linkType":270},"6ZQ6iFu11NnXOP4EMAgxji",[],{"data":624,"content":625,"nodeType":281},{},[626],{"data":627,"marks":628,"value":629,"nodeType":248},{},[],"All the examples given so far are possible as an external attacker making Slack connect invites, so they work as the initial access phase of the kill chain. However, if an attacker gains control of an internal Slack user account for the target tenant, or the attacker is a malicious insider (e.g. a disgruntled employee), then they don’t even need to worry about achieving an initial connection request. Under a default configuration, they could change their name and photo to impersonate the CEO immediately and message anyone they like. However, this is moving into the lateral movement phase of the kill chain.",{"data":631,"content":632,"nodeType":371},{},[633],{"data":634,"marks":635,"value":636,"nodeType":248},{},[],"Link preview spoofing",{"data":638,"content":639,"nodeType":281},{},[640,644,649,653,658],{"data":641,"marks":642,"value":643,"nodeType":248},{},[],"Another key issue is link preview spoofing. HTML allows a variety of ways to specify hyperlinks. In email, secure email gateways will often alert or block commonly abused types, such as forging a different URL as the link display text to what the underlying link points to. For example, an attacker could show the link as ",{"data":645,"marks":646,"value":648,"nodeType":248},{},[647],{"type":257},"https://www.google.com",{"data":650,"marks":651,"value":652,"nodeType":248},{},[]," but direct it to ",{"data":654,"marks":655,"value":657,"nodeType":248},{},[656],{"type":257},"https://www.evil.com",{"data":659,"marks":660,"value":661,"nodeType":248},{},[]," when it is clicked. Secure email gateways often perform a lot of other analysis of links, including domain analysis and active crawling to identify common phishing attacks.",{"data":663,"content":664,"nodeType":281},{},[665],{"data":666,"marks":667,"value":668,"nodeType":248},{},[],"On IM applications, however, this same standard of link analysis is not always present and the widespread introduction of link unfurling/previewing has also given additional options for spoofing links to hide their true source and increase social engineering success. ",{"data":670,"content":671,"nodeType":528},{},[672],{"data":673,"marks":674,"value":675,"nodeType":248},{},[],"Traditional link forging",{"data":677,"content":678,"nodeType":281},{},[679],{"data":680,"marks":681,"value":682,"nodeType":248},{},[],"We’ll start with a common traditional link forging scenario to see how Slack handles that, then show how link previews change the threat.",{"data":684,"content":685,"nodeType":281},{},[686],{"data":687,"marks":688,"value":689,"nodeType":248},{},[],"Here, we can see forging a link is permitted by Slack, but at least the real domain is shown to the user along with an overt warning.",{"data":691,"content":695,"nodeType":499},{"target":692},{"sys":693},{"id":694,"type":269,"linkType":270},"3SDhqamQqXLfFqD8W1b37V",[],{"data":697,"content":701,"nodeType":499},{"target":698},{"sys":699},{"id":700,"type":269,"linkType":270},"5yfDUdZ4F6zrp7AGnMGD5b",[],{"data":703,"content":704,"nodeType":281},{},[705],{"data":706,"marks":707,"value":708,"nodeType":248},{},[],"On the other hand, if we use friendly text to mask the true URL, we no longer get a warning when clicking the link. However, it’s still possible to see the real URL via a mouseover, so this doesn’t really differ from traditional email phishing scenarios. Without any context of the link, it’s likely a security conscious user will hover-over to see what the link points to.",{"data":710,"content":714,"nodeType":499},{"target":711},{"sys":712},{"id":713,"type":269,"linkType":270},"3KCRJ9HIJimLX9vzJVHq1C",[],{"data":716,"content":717,"nodeType":528},{},[718],{"data":719,"marks":720,"value":721,"nodeType":248},{},[],"Abusing link previews using an internal account ",{"data":723,"content":724,"nodeType":281},{},[725],{"data":726,"marks":727,"value":728,"nodeType":248},{},[],"It gets more interesting when we use links that Slack is able to unfurl to provide a link preview. We’re going to show how this works with full link previews first. By default, full previews only show for messages from internal users. To make the explanation easier, we’ll show full previews first but then we’ll show the difference with limited previews in external messages afterwards and thus show how it impacts external phishing attacks in the initial access phase.",{"data":730,"content":731,"nodeType":281},{},[732],{"data":733,"marks":734,"value":735,"nodeType":248},{},[],"Here we’ll show a legitimate example of posting one of our own blogs where Slack helpfully unfurls the URL and gives some context to the link as a preview:",{"data":737,"content":741,"nodeType":499},{"target":738},{"sys":739},{"id":740,"type":269,"linkType":270},"7nknMRtdXGlupYom31kKor",[],{"data":743,"content":744,"nodeType":281},{},[745],{"data":746,"marks":747,"value":748,"nodeType":248},{},[],"This is very useful for the user and, despite the fact you can still see the real link clearly via a hover-over, a user is much less likely to check a link when they’ve already had a seemingly legitimate preview context displayed to them. ",{"data":750,"content":751,"nodeType":281},{},[752],{"data":753,"marks":754,"value":755,"nodeType":248},{},[],"So, how can we use this scenario maliciously?",{"data":757,"content":758,"nodeType":281},{},[759],{"data":760,"marks":761,"value":762,"nodeType":248},{},[],"The obvious attack scenario is to minimize the link display text so it’s not noticeable and hard to hover-over and then forge a different link preview for Slack than what is given to the user when they click the link. Then when the user clicks the link, they’ll be directed to our phishing page instead. ",{"data":764,"content":765,"nodeType":281},{},[766],{"data":767,"marks":768,"value":769,"nodeType":248},{},[],"We can do this through using a single character as the link display text and then performing user agent specific processing of web requests. For example, Slack unfurling uses a user agent like the following:",{"data":771,"content":772,"nodeType":281},{},[773],{"data":774,"marks":775,"value":778,"nodeType":248},{},[776],{"type":777},"code","Slackbot-LinkExpanding 1.0 (+https://api.slack.com/robots)",{"data":780,"content":781,"nodeType":281},{},[782,786],{"data":783,"marks":784,"value":785,"nodeType":248},{},[],"Therefore, without even requiring much sophistication, we can use some simple python code to perform a redirect to a legitimate source when our web request handler sees this user agent. However, when a target user visits using a normal web browser we instead return a malicious page. The example python code below redirects to benign content for a Slack preview, while serving malicious content otherwise:",{"data":787,"marks":788,"value":791,"nodeType":248},{},[789],{"type":790},"bold","    ",{"data":793,"content":797,"nodeType":499},{"target":794},{"sys":795},{"id":796,"type":269,"linkType":270},"4VHFyInQfa3tdvJO4rnnQL",[],{"data":799,"content":800,"nodeType":281},{},[801],{"data":802,"marks":803,"value":804,"nodeType":248},{},[],"The end result of this is that the user sees a nice friendly link preview legitimately produced by Slack and Google Docs in real time, whereas if they click the link they’ll be taken to our phishing page instead. ",{"data":806,"content":807,"nodeType":281},{},[808],{"data":809,"marks":810,"value":811,"nodeType":248},{},[],"In this case, we have shown a Google style phishing page as an example for harvesting credentials. Hopefully, the user will assume their Google Docs session expired and then re-enter their credentials. See what the target user would see below:",{"data":813,"content":817,"nodeType":499},{"target":814},{"sys":815},{"id":816,"type":269,"linkType":270},"3QaFhW1otbJpzMI9ff5R4F",[],{"data":819,"content":823,"nodeType":499},{"target":820},{"sys":821},{"id":822,"type":269,"linkType":270},"6ZFu92OSmI7miSGz8QwwtV",[],{"data":825,"content":826,"nodeType":281},{},[827],{"data":828,"marks":829,"value":830,"nodeType":248},{},[],"Using a small period as the display text for the hyperlink means it is difficult for the user to notice and hover-over to see Slack pop-up the true domain as we saw earlier. While they can still hover over the link preview itself, this only shows the real domain in the taskbar in the bottom left, which is only noticeable if you intentionally look for it. ",{"data":832,"content":833,"nodeType":281},{},[834],{"data":835,"marks":836,"value":837,"nodeType":248},{},[],"Given normal links in Slack show the domain above the mouse, users aren’t used to looking for the link here and, combined with the friendly link preview, it’s much less likely a target user will realize this is a phishing attack.",{"data":839,"content":840,"nodeType":528},{},[841],{"data":842,"marks":843,"value":844,"nodeType":248},{},[],"Abusing link previews with an external account ",{"data":846,"content":847,"nodeType":281},{},[848],{"data":849,"marks":850,"value":851,"nodeType":248},{},[],"What we’ve just shown is the behavior for a message from an internal user. Slack doesn’t fully unfurl a link by default, however, if this was combined with external messaging as we saw earlier. It does still show a partial link preview though and therefore this attack is still possible.",{"data":853,"content":854,"nodeType":281},{},[855],{"data":856,"marks":857,"value":858,"nodeType":248},{},[],"The only real difference is it doesn’t show the image part of the preview and, instead, shows a notice to the user that it’s external and gives them the option to click to show the image preview as well. If the user clicks to show the image preview, it converts to the same full preview with the image we saw above. In this case, we can see an example of chaining the original external user spoofing attack with a link preview spoofing attack below:",{"data":860,"content":864,"nodeType":499},{"target":861},{"sys":862},{"id":863,"type":269,"linkType":270},"4IkX0LI0bB36CxNlHYHRHs",[],{"data":866,"content":867,"nodeType":281},{},[868],{"data":869,"marks":870,"value":871,"nodeType":248},{},[],"While this is slightly more problematic for an attacker than the internal functionality for link previews, it’s still very useful as a social engineering technique and arguably the option to click “just show this one” adds to the legitimacy. The reason is the user may use this as a way to get context on what the link is, instead of looking for the underlying URL. Otherwise, clicking the link still takes the user to the phishing page without any other warnings the same as for internal messages.",{"data":873,"content":877,"nodeType":499},{"target":874},{"sys":875},{"id":876,"type":269,"linkType":270},"2ug8ozbhRM3Xg8nhasJ1er",[],{"data":879,"content":880,"nodeType":528},{},[881],{"data":882,"marks":883,"value":884,"nodeType":248},{},[],"Cleaning your tracks",{"data":886,"content":887,"nodeType":281},{},[888],{"data":889,"marks":890,"value":891,"nodeType":248},{},[],"Ok, so let’s say an attacker has either successfully phished the target user or perhaps now the user is suspicious and likely contacting security or IT. One of the great benefits of IM apps is you can generally edit and delete messages, which can be abused by an attacker.",{"data":893,"content":894,"nodeType":281},{},[895],{"data":896,"marks":897,"value":898,"nodeType":248},{},[],"As an attacker, I could make a tiny change to my message to replace the malicious link with the legitimate link I was spoofing for the link preview if I got the sense the target was getting suspicious. Then, if an incident responder comes to investigate, the malicious link is now gone and the message itself appears identical, covering my tracks. Other than being able to see the message has been edited, it’s no longer easy to see this was a phishing attack or where the phishing link pointed to. This is definitely a useful capability that isn’t usually possible with email phishing! \n\nSee this minor change reflected below, making the original phishing message appear innocuous due to the replacement of the phishing URL with a legitimate URL:",{"data":900,"content":904,"nodeType":499},{"target":901},{"sys":902},{"id":903,"type":269,"linkType":270},"32lWR3sObuIYvhSDUPIPAh",[],{"data":906,"content":907,"nodeType":371},{},[908],{"data":909,"marks":910,"value":911,"nodeType":248},{},[],"Impact",{"data":913,"content":914,"nodeType":281},{},[915],{"data":916,"marks":917,"value":918,"nodeType":248},{},[],"We’ve covered a lot of ground here, showing the chaining of external user spoofing attacks with link preview spoofing and also how to cover your tracks afterwards. It’s worth taking a step back and considering the key impact points:",{"data":920,"content":921,"nodeType":335},{},[922,932,942,952],{"data":923,"content":924,"nodeType":313},{},[925],{"data":926,"content":927,"nodeType":281},{},[928],{"data":929,"marks":930,"value":931,"nodeType":248},{},[],"IM apps like Slack are now external phishing and social engineering vectors, not just internal ones",{"data":933,"content":934,"nodeType":313},{},[935],{"data":936,"content":937,"nodeType":281},{},[938],{"data":939,"marks":940,"value":941,"nodeType":248},{},[],"User spoofing can be used in novel ways to enhance social engineering that employees may not be familiar with",{"data":943,"content":944,"nodeType":313},{},[945],{"data":946,"content":947,"nodeType":281},{},[948],{"data":949,"marks":950,"value":951,"nodeType":248},{},[],"Link spoofing techniques can make phishing links much harder to spot and so increase social engineering success",{"data":953,"content":954,"nodeType":313},{},[955],{"data":956,"content":957,"nodeType":281},{},[958],{"data":959,"marks":960,"value":961,"nodeType":248},{},[],"Malicious Slack messages can be modified later to replace the phishing link to cover up the attack",{"data":963,"content":964,"nodeType":371},{},[965],{"data":966,"marks":967,"value":968,"nodeType":248},{},[],"Conclusion",{"data":970,"content":971,"nodeType":281},{},[972],{"data":973,"marks":974,"value":975,"nodeType":248},{},[],"IM apps have become the default internal communication for most organizations now, but are now a common method of communication with external parties, as well. This means they’ll become a key battleground in both the initial access phase of compromises and the latter phases of lateral movement and persistence. ",{"data":977,"content":978,"nodeType":281},{},[979],{"data":980,"marks":981,"value":982,"nodeType":248},{},[],"This also means organizations reliant on traditional email security gateways and email-based phishing training are likely to see the effectiveness of these controls decrease if attacks shift to the IM apps.",{"data":984,"content":985,"nodeType":281},{},[986],{"data":987,"marks":988,"value":989,"nodeType":248},{},[],"In this article, we highlighted a number of spoofing and phishing strategies that can be employed by external attackers to target an organization using Slack in the initial access phase of the kill chain. In the next article, we’ll look at how once an attacker has a foothold on Slack, new attack possibilities open up that allow for persistence and lateral movement to be achieved.",{"data":991,"content":992,"nodeType":281},{},[993],{"data":994,"marks":995,"value":996,"nodeType":248},{},[],"While this article focused on Slack specifically, similar attacks may be possible for other IM apps as well. Going forwards, it will be important for organizations to factor in these types of attacks into their security strategies.",{"data":998,"content":999,"nodeType":281},{},[1000,1004,1012],{"data":1001,"marks":1002,"value":1003,"nodeType":248},{},[],"In our ",{"data":1005,"content":1008,"nodeType":277},{"target":1006},{"sys":1007},{"id":354,"type":269,"linkType":270},[1009],{"data":1010,"marks":1011,"value":359,"nodeType":248},{},[],{"data":1013,"marks":1014,"value":1015,"nodeType":248},{},[],", we’ll talk about how to use Slack to gain persistence and move laterally across the organization. ",{"data":1017,"content":1021,"nodeType":499},{"target":1018},{"sys":1019},{"id":1020,"type":269,"linkType":270},"2y0INxqAi594O7rCAVKhTI",[],{"data":1023,"content":1024,"nodeType":281},{},[1025],{"data":1026,"marks":1027,"value":29,"nodeType":248},{},[],"document",{"entries":1030},{"inline":1031,"hyperlink":1032,"block":1042},[],[1033,1038],{"sys":1034,"__typename":1035,"title":1036,"slug":1037},{"id":268},"BlogPosts","The shadow workflow’s evil twin: A nearly invisible attack chain","nearly-invisible-attack-chain",{"sys":1039,"__typename":1035,"title":1040,"slug":1041},{"id":354},"Slack Attack: A phisher's guide to persistence and lateral movement","phishing-slack-persistence",[1043,1050,1059,1067,1075,1083,1091,1099,1107,1115,1121,1129,1137,1145,1154,1162],{"sys":1044,"__typename":1045,"type":1046,"ctaText":1047,"buttonLabel":1048,"buttonColour":1049,"buttonUrl":62},{"id":497},"CtaWidget","Demo","Learn how Push can help you secure identities across your org","Book a demo!","sunny orange",{"sys":1051,"__typename":1052,"title":1053,"caption":1054,"layoutMode":62,"file":1055},{"id":540},"Image","Slack phishing - new invite","Slack connect invite from an external tenant with an attacker chosen user name and organization name",{"url":1056,"width":1057,"height":1058},"https://images.ctfassets.net/y1cdw1ablpvd/32Q5YwPYPpnnwr05cFE9FZ/bf1537dc55dad812c2ef8bd56b1be0da/image5.png",792,211,{"sys":1060,"__typename":1052,"title":1061,"caption":1062,"layoutMode":62,"file":1063},{"id":574},"Slack phishing - impersonating an employee","An external attacker (the Zuck with an F on the profile to show it's an external account) in a channel impersonating an internal user (the Zuck without an F to show it's an internal account)).",{"url":1064,"width":1065,"height":1066},"https://images.ctfassets.net/y1cdw1ablpvd/15wI2UepFxEhNu5Oniv2Jm/bc3719550be55300a1dc9865a2a5c94c/image13.png",1164,584,{"sys":1068,"__typename":1052,"title":1069,"caption":1070,"layoutMode":62,"file":1071},{"id":615},"Slack phishing - spoofing","An initial message from an accepted Slack connect invite, from “Brian” at “SomeExternalMarketingAgency, LLC”",{"url":1072,"width":1073,"height":1074},"https://images.ctfassets.net/y1cdw1ablpvd/1PRhPZ9M8jiyICJV38EldP/c7bccda387c084cd0483ca9a051e1032/image12.png",1048,439,{"sys":1076,"__typename":1052,"title":1077,"caption":1078,"layoutMode":62,"file":1079},{"id":621},"Slack phishing - social engineering","A social engineering message sent in future with a change in user identity - no new Slack connection is required",{"url":1080,"width":1081,"height":1082},"https://images.ctfassets.net/y1cdw1ablpvd/7D0CEOQmuomsw3uaq7EkNE/5cc635924e8d0ccb72340bbee7aadf78/image8.png",957,544,{"sys":1084,"__typename":1052,"title":1085,"caption":1086,"layoutMode":62,"file":1087},{"id":694},"Slack phishing - link forging","Link forging shows the real domain on a hover-over",{"url":1088,"width":1089,"height":1090},"https://images.ctfassets.net/y1cdw1ablpvd/3ZVdrMekiWSULQXFTKcOc3/59d6066d06d3543e7eed79f5d1d4bd61/image2.png",856,140,{"sys":1092,"__typename":1052,"title":1093,"caption":1094,"layoutMode":62,"file":1095},{"id":700},"Slack phishing - link forging warning","Link forging also presents a warning dialog to the user by default if they click the link",{"url":1096,"width":1097,"height":1098},"https://images.ctfassets.net/y1cdw1ablpvd/1jkGOiQxzDe2xNJCmB8zL3/8babcd4e9ae83bbd79843eaf17596db4/image1.png",1044,504,{"sys":1100,"__typename":1052,"title":1101,"caption":1102,"layoutMode":62,"file":1103},{"id":713},"Slack phishing - link forging friendly text","A hover-over still shows the true URL with a friendly text link but no warning dialog is given",{"url":1104,"width":1105,"height":1106},"https://images.ctfassets.net/y1cdw1ablpvd/6pNYmKoOBAvj5Pu0qpB88f/f770190659c1f499d73fffa3fbfce4d3/image9.png",852,146,{"sys":1108,"__typename":1052,"title":1109,"caption":1110,"layoutMode":62,"file":1111},{"id":740},"Slack phishing - link unfurling","Link unfurling resulting in a helpful link preview",{"url":1112,"width":1113,"height":1114},"https://images.ctfassets.net/y1cdw1ablpvd/428xUDjIeEE6rzCyJJWfpe/60b48bf9c36e2831585c1f5c86f97154/image11.png",1276,744,{"sys":1116,"__typename":1117,"name":1118,"type":1119,"syntax":1120},{"id":796},"CodeBlockComponent","Slack phishing 1: Link preview spoofing code","python","from http.server import HTTPServer, SimpleHTTPRequestHandler\n\n\nclass MyHandler(SimpleHTTPRequestHandler):\n    def do_GET(self):\n        for header, val in self.headers.items():\n            if header == \"User-Agent\":\n                print(header, val)\n                if val.startswith(\"Slackbot-LinkExpanding\") or \"SkypeUriPreview\" in val or \"Google-PageRenderer\" in val:\n                    self.send_response(301)\n                    self.send_header('Location', 'https://docs.google.com/presentation/d/1JsjD2Ro9KaHmW2vILPKJ6-7ptW89pfsAReyzCxQdpq0/edit?usp=sharing')\n                    self.end_headers()\n                    return\n            print(header, val)\n        return super(MyHandler, self).do_GET()\n\n\nhttpd = HTTPServer(('localhost', 8000), MyHandler)\nhttpd.serve_forever()",{"sys":1122,"__typename":1052,"title":1123,"caption":1124,"layoutMode":62,"file":1125},{"id":816},"Slack phishing - user and link preview spoofing","Phishing message making use of user spoofing and link preview spoofing to make the link seem legitimate, so the user won’t notice the true URL. A small period is used to hide the URL.",{"url":1126,"width":1127,"height":1128},"https://images.ctfassets.net/y1cdw1ablpvd/2yh3i1Htdy4iXfKfRgiPBj/aa455d9513a6047b187df60494e942d8/image4.png",1160,678,{"sys":1130,"__typename":1052,"title":1131,"caption":1132,"layoutMode":62,"file":1133},{"id":822},"Slack phishing - fake phishing page","The fake Google phishing page the user is directed to when clicking the link, in this case hosted on a custom ngrok domain",{"url":1134,"width":1135,"height":1136},"https://images.ctfassets.net/y1cdw1ablpvd/7eN4laU7EvdAbi0mjyLNeK/f8ed7e4db0fe35ebb85ac7a6946c7f05/image6.png",1718,1560,{"sys":1138,"__typename":1052,"title":1139,"caption":1140,"layoutMode":62,"file":1141},{"id":863},"Slack phishing - link preview from external","Link previews from external messages do not show the image by default, but allow the user to override this",{"url":1142,"width":1143,"height":1144},"https://images.ctfassets.net/y1cdw1ablpvd/3OORVNatftPSxM4d5RUeCX/e88a707d86ac24db370ea7b54a5b5570/image7.png",613,239,{"sys":1146,"__typename":1052,"title":1147,"caption":1148,"layoutMode":1149,"file":1150},{"id":876},"Slack phishing - technical diagram 1","A diagram to show the combination of external spoofing and link preview spoofing in action","Breaks margins",{"url":1151,"width":1152,"height":1153},"https://images.ctfassets.net/y1cdw1ablpvd/5F5m59YpByCrIMmm71sal/d6863a45244ebc9821589224d34a3962/image10.png",1999,1125,{"sys":1155,"__typename":1052,"title":1156,"caption":1157,"layoutMode":62,"file":1158},{"id":903},"Slack phishing - link unfurling edited","An edited message to remove the malicious link and replace it with the same link used for spoofed link preview. ",{"url":1159,"width":1160,"height":1161},"https://images.ctfassets.net/y1cdw1ablpvd/2keEwuruFFUM8tT9AFqEvp/ee2b1d858ed766f5193317c4bb888e3c/image3.png",637,423,{"sys":1163,"__typename":1045,"type":1164,"ctaText":1165,"buttonLabel":1166,"buttonColour":1167,"buttonUrl":62},{"id":1020},"LinkedIn","See more original research and technical content from Push","Follow us on LinkedIn","orange","json",{"items":1170},[],{},"Phishing through Slack for initial access","2023-10-24T00:00:00.000Z",{"items":1175},[1176,2008,2908],{"__typename":1035,"sys":1177,"content":1178,"title":1040,"synopsis":1993,"hashTags":62,"publishedDate":1173,"slug":1041,"tagsCollection":1994,"authorsCollection":2004},{"id":354},{"json":1179},{"data":1180,"content":1181,"nodeType":1028},{},[1182,1200,1222,1229,1312,1318,1341,1347,1353,1359,1365,1395,1401,1437,1443,1448,1455,1474,1481,1488,1508,1530,1551,1558,1565,1572,1578,1585,1592,1599,1605,1611,1631,1638,1644,1650,1656,1663,1679,1685,1691,1698,1705,1712,1719,1726,1732,1739,1758,1764,1771,1777,1784,1790,1797,1804,1811,1818,1824,1831,1836,1842,1849,1856,1961,1967,1973,1980,1987],{"data":1183,"content":1184,"nodeType":281},{},[1185,1189,1196],{"data":1186,"marks":1187,"value":1188,"nodeType":248},{},[],"This is the fourth post in a series on attack chains formed by combining techniques in the ",{"data":1190,"content":1191,"nodeType":259},{"uri":251},[1192],{"data":1193,"marks":1194,"value":258,"nodeType":248},{},[1195],{"type":257},{"data":1197,"marks":1198,"value":1199,"nodeType":248},{},[]," and the second post of two focused on attacking instant messaging applications with Slack as the primary example. ",{"data":1201,"content":1202,"nodeType":281},{},[1203,1207,1218],{"data":1204,"marks":1205,"value":1206,"nodeType":248},{},[],"The ",{"data":1208,"content":1212,"nodeType":277},{"target":1209},{"sys":1210},{"id":1211,"type":269,"linkType":270},"2rjLrCo6KWwLicfpV2qTOZ",[1213],{"data":1214,"marks":1215,"value":1217,"nodeType":248},{},[1216],{"type":257},"previous post",{"data":1219,"marks":1220,"value":1221,"nodeType":248},{},[]," focused on external attackers gaining an initial foothold during the initial access phase of the kill chain. In this post we’ll be focusing on persistence and lateral movement for an attacker that has already gained a foothold on a Slack tenant by compromising an internal account. ",{"data":1223,"content":1224,"nodeType":281},{},[1225],{"data":1226,"marks":1227,"value":1228,"nodeType":248},{},[],"We’ll build on the techniques in the previous post as well as introducing more and so will cover the following SaaS attack techniques, including chaining them together:",{"data":1230,"content":1231,"nodeType":335},{},[1232,1251,1270,1291],{"data":1233,"content":1234,"nodeType":313},{},[1235],{"data":1236,"content":1237,"nodeType":281},{},[1238,1241,1248],{"data":1239,"marks":1240,"value":29,"nodeType":248},{},[],{"data":1242,"content":1243,"nodeType":259},{"uri":303},[1244],{"data":1245,"marks":1246,"value":309,"nodeType":248},{},[1247],{"type":257},{"data":1249,"marks":1250,"value":29,"nodeType":248},{},[],{"data":1252,"content":1253,"nodeType":313},{},[1254],{"data":1255,"content":1256,"nodeType":281},{},[1257,1260,1267],{"data":1258,"marks":1259,"value":29,"nodeType":248},{},[],{"data":1261,"content":1262,"nodeType":259},{"uri":325},[1263],{"data":1264,"marks":1265,"value":331,"nodeType":248},{},[1266],{"type":257},{"data":1268,"marks":1269,"value":29,"nodeType":248},{},[],{"data":1271,"content":1272,"nodeType":313},{},[1273],{"data":1274,"content":1275,"nodeType":281},{},[1276,1279,1288],{"data":1277,"marks":1278,"value":29,"nodeType":248},{},[],{"data":1280,"content":1282,"nodeType":259},{"uri":1281},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/system_integrations/description.md",[1283],{"data":1284,"marks":1285,"value":1287,"nodeType":248},{},[1286],{"type":257},"SAT1036 - OAuth system integrations ",{"data":1289,"marks":1290,"value":29,"nodeType":248},{},[],{"data":1292,"content":1293,"nodeType":313},{},[1294],{"data":1295,"content":1296,"nodeType":281},{},[1297,1300,1309],{"data":1298,"marks":1299,"value":29,"nodeType":248},{},[],{"data":1301,"content":1303,"nodeType":259},{"uri":1302},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/shadow_workflows/description.md",[1304],{"data":1305,"marks":1306,"value":1308,"nodeType":248},{},[1307],{"type":257},"SAT1033 - Shadow workflows",{"data":1310,"marks":1311,"value":29,"nodeType":248},{},[],{"data":1313,"content":1314,"nodeType":371},{},[1315],{"data":1316,"marks":1317,"value":370,"nodeType":248},{},[],{"data":1319,"content":1320,"nodeType":281},{},[1321,1327,1336],{"data":1322,"marks":1323,"value":1326,"nodeType":248},{},[1324],{"type":1325},"italic","If you’ve just read the ",{"data":1328,"content":1331,"nodeType":277},{"target":1329},{"sys":1330},{"id":1211,"type":269,"linkType":270},[1332],{"data":1333,"marks":1334,"value":1217,"nodeType":248},{},[1335],{"type":1325},{"data":1337,"marks":1338,"value":1340,"nodeType":248},{},[1339],{"type":1325},", you can skip this introductory piece and jump straight to the next section.",{"data":1342,"content":1343,"nodeType":281},{},[1344],{"data":1345,"marks":1346,"value":378,"nodeType":248},{},[],{"data":1348,"content":1349,"nodeType":281},{},[1350],{"data":1351,"marks":1352,"value":385,"nodeType":248},{},[],{"data":1354,"content":1355,"nodeType":281},{},[1356],{"data":1357,"marks":1358,"value":392,"nodeType":248},{},[],{"data":1360,"content":1361,"nodeType":281},{},[1362],{"data":1363,"marks":1364,"value":399,"nodeType":248},{},[],{"data":1366,"content":1367,"nodeType":335},{},[1368,1377,1386],{"data":1369,"content":1370,"nodeType":313},{},[1371],{"data":1372,"content":1373,"nodeType":281},{},[1374],{"data":1375,"marks":1376,"value":412,"nodeType":248},{},[],{"data":1378,"content":1379,"nodeType":313},{},[1380],{"data":1381,"content":1382,"nodeType":281},{},[1383],{"data":1384,"marks":1385,"value":422,"nodeType":248},{},[],{"data":1387,"content":1388,"nodeType":313},{},[1389],{"data":1390,"content":1391,"nodeType":281},{},[1392],{"data":1393,"marks":1394,"value":432,"nodeType":248},{},[],{"data":1396,"content":1397,"nodeType":281},{},[1398],{"data":1399,"marks":1400,"value":439,"nodeType":248},{},[],{"data":1402,"content":1403,"nodeType":281},{},[1404,1407,1414,1417,1424,1427,1434],{"data":1405,"marks":1406,"value":446,"nodeType":248},{},[],{"data":1408,"content":1409,"nodeType":259},{"uri":449},[1410],{"data":1411,"marks":1412,"value":455,"nodeType":248},{},[1413],{"type":257},{"data":1415,"marks":1416,"value":459,"nodeType":248},{},[],{"data":1418,"content":1419,"nodeType":259},{"uri":462},[1420],{"data":1421,"marks":1422,"value":468,"nodeType":248},{},[1423],{"type":257},{"data":1425,"marks":1426,"value":472,"nodeType":248},{},[],{"data":1428,"content":1429,"nodeType":259},{"uri":475},[1430],{"data":1431,"marks":1432,"value":481,"nodeType":248},{},[1433],{"type":257},{"data":1435,"marks":1436,"value":485,"nodeType":248},{},[],{"data":1438,"content":1439,"nodeType":281},{},[1440],{"data":1441,"marks":1442,"value":492,"nodeType":248},{},[],{"data":1444,"content":1447,"nodeType":499},{"target":1445},{"sys":1446},{"id":497,"type":269,"linkType":270},[],{"data":1449,"content":1450,"nodeType":371},{},[1451],{"data":1452,"marks":1453,"value":1454,"nodeType":248},{},[],"Slack apps - spoofing and persistence",{"data":1456,"content":1457,"nodeType":281},{},[1458,1461,1470],{"data":1459,"marks":1460,"value":349,"nodeType":248},{},[],{"data":1462,"content":1465,"nodeType":277},{"target":1463},{"sys":1464},{"id":1211,"type":269,"linkType":270},[1466],{"data":1467,"marks":1468,"value":1217,"nodeType":248},{},[1469],{"type":257},{"data":1471,"marks":1472,"value":1473,"nodeType":248},{},[],", we covered user spoofing and link preview spoofing attacks that can be conducted externally. But do we have any other options available once on the inside that wouldn’t be available to us externally? ",{"data":1475,"content":1476,"nodeType":281},{},[1477],{"data":1478,"marks":1479,"value":1480,"nodeType":248},{},[],"What happens if you compromise a Slack account and then want to persist and/or move laterally? Ordinarily, you can maintain access until session expiry or a password change is forced or the account is deactivated/deleted. For further actual impact, you could silently read messages as the user continues to operate their account but if you start sending out malicious links to other targets, in an attempt to move laterally, then the real user is probably going to become aware of the compromise very quickly from seeing the malicious messages in their own chat client.",{"data":1482,"content":1483,"nodeType":281},{},[1484],{"data":1485,"marks":1486,"value":1487,"nodeType":248},{},[],"Alternatively, what happens in a situation where a disgruntled employee is let go and their account is terminated? Could they maintain some level of access and use it maliciously?",{"data":1489,"content":1490,"nodeType":281},{},[1491,1495,1504],{"data":1492,"marks":1493,"value":1494,"nodeType":248},{},[],"One key feature that some IM apps like Slack have is app integrations to allow bots and other functionality, usually using OAuth under the hood. This allows very useful functionality for users, but also opens up a whole new angle for persistence and spoofing. In Slack’s case, its separation of ",{"data":1496,"content":1498,"nodeType":259},{"uri":1497},"https://api.slack.com/authentication/token-types",[1499],{"data":1500,"marks":1501,"value":1503,"nodeType":248},{},[1502],{"type":257},"user tokens and bot tokens",{"data":1505,"marks":1506,"value":1507,"nodeType":248},{},[]," allows for particularly interesting spoofing and persistence capabilities, which we’ll come to later.",{"data":1509,"content":1510,"nodeType":281},{},[1511,1515,1526],{"data":1512,"marks":1513,"value":1514,"nodeType":248},{},[],"We could probably write several posts on OAuth apps alone. In fact, we’ve written about ",{"data":1516,"content":1520,"nodeType":277},{"target":1517},{"sys":1518},{"id":1519,"type":269,"linkType":270},"3QpljiYU9YHEUhd5gsvypj",[1521],{"data":1522,"marks":1523,"value":1525,"nodeType":248},{},[1524],{"type":257},"using OAuth for persistence",{"data":1527,"marks":1528,"value":1529,"nodeType":248},{},[]," more generally before. However, in this case we are going to focus on a couple examples of using a legitimate Slack app maliciously. ",{"data":1531,"content":1532,"nodeType":281},{},[1533,1537,1547],{"data":1534,"marks":1535,"value":1536,"nodeType":248},{},[],"In a previous blog post in this series, we spoke about ",{"data":1538,"content":1541,"nodeType":277},{"target":1539},{"sys":1540},{"id":268,"type":269,"linkType":270},[1542],{"data":1543,"marks":1544,"value":1546,"nodeType":248},{},[1545],{"type":257},"shadow workflows",{"data":1548,"marks":1549,"value":1550,"nodeType":248},{},[]," using SaaS automation apps. We’re going to follow this theme again here and show how they can also be used with Slack. Previously, we used Zapier as our automation app example, but this time we are going to use make.com. ",{"data":1552,"content":1553,"nodeType":528},{},[1554],{"data":1555,"marks":1556,"value":1557,"nodeType":248},{},[],"Persistent spoofing",{"data":1559,"content":1560,"nodeType":281},{},[1561],{"data":1562,"marks":1563,"value":1564,"nodeType":248},{},[],"We’ll show here how you can connect make.com to a Slack account you control and then maintain persistence, both as that user and partial access even if the account is deactivated or deleted, by using bot tokens. This is especially important in a disgruntled employee scenario as they could use this to maintain some level of access to Slack even if they were fired and had their account deleted. ",{"data":1566,"content":1567,"nodeType":281},{},[1568],{"data":1569,"marks":1570,"value":1571,"nodeType":248},{},[],"If we create a make.com account and click to create a new scenario, we can select Slack from the long list of integration possibilities. We’ll then be prompted to pick a specific Slack module. In more complicated scenarios, these can be chained together to take actions on events, but in this case we are going to create a simple scenario with just one module used to send a custom Slack message.",{"data":1573,"content":1577,"nodeType":499},{"target":1574},{"sys":1575},{"id":1576,"type":269,"linkType":270},"2k6NeCNERIL4zx3FtTD97p",[],{"data":1579,"content":1580,"nodeType":281},{},[1581],{"data":1582,"marks":1583,"value":1584,"nodeType":248},{},[],"If we select the module “Create a Message” we’ll be prompted to select a Slack connection to use and then fill out the other details for the module. Since we haven’t already created a Slack connection, we’ll be prompted to create a new one. For this module, we have the option of creating either a user token or a bot token. ",{"data":1586,"content":1587,"nodeType":281},{},[1588],{"data":1589,"marks":1590,"value":1591,"nodeType":248},{},[],"A user token has full capabilities and will continue to operate in the event of a password change. However, if the user account is deactivated or deleted then it will cease to work. In contrast, the bot connection is limited in capabilities compared to a full user token, but the advantage is that it will continue to operate even if the user account is deactivated or deleted.",{"data":1593,"content":1594,"nodeType":281},{},[1595],{"data":1596,"marks":1597,"value":1598,"nodeType":248},{},[],"This means gaining even temporary control of a Slack account, either through a user compromise or by being a disgruntled employee (or fired employee), could enable the permanent ability to spoof messages unless the entire app is revoked from Slack. Even with the high bar set by shadow workflows, that’s a pretty epic level of persistence!\n\nSo, we’re going to select the bot token for this example:",{"data":1600,"content":1604,"nodeType":499},{"target":1601},{"sys":1602},{"id":1603,"type":269,"linkType":270},"2Hx4QLlhLoXxoAVN7R72Tm",[],{"data":1606,"content":1610,"nodeType":499},{"target":1607},{"sys":1608},{"id":1609,"type":269,"linkType":270},"6oSc2GzeZh5vUhyKC8viMn",[],{"data":1612,"content":1613,"nodeType":281},{},[1614,1618,1627],{"data":1615,"marks":1616,"value":1617,"nodeType":248},{},[],"Now that we’ve finished setting up the bot connection, we can configure the specifics for the module itself. In this case, we’ll demonstrate using it to send the same type of spoofed message we covered in the ",{"data":1619,"content":1622,"nodeType":277},{"target":1620},{"sys":1621},{"id":1211,"type":269,"linkType":270},[1623],{"data":1624,"marks":1625,"value":1217,"nodeType":248},{},[1626],{"type":257},{"data":1628,"marks":1629,"value":1630,"nodeType":248},{},[],", only it’ll be from a bot account. ",{"data":1632,"content":1633,"nodeType":281},{},[1634],{"data":1635,"marks":1636,"value":1637,"nodeType":248},{},[],"By default, it’ll use the name and icon of the Slack app, in this case Integromat (Make.com’s former name). Alternatively, we can choose to override this, which we will do in this case to mirror the user spoofing attacks we covered earlier. The only difference to a normal user message is there will be a small “APP” icon after the user. ",{"data":1639,"content":1643,"nodeType":499},{"target":1640},{"sys":1641},{"id":1642,"type":269,"linkType":270},"44kvbP0IYSIrp5anRtuVhN",[],{"data":1645,"content":1649,"nodeType":499},{"target":1646},{"sys":1647},{"id":1648,"type":269,"linkType":270},"225FeHRut5kzTuX1n0NDLt",[],{"data":1651,"content":1655,"nodeType":499},{"target":1652},{"sys":1653},{"id":1654,"type":269,"linkType":270},"1c5AcrsoegPrNwrXtdCCaJ",[],{"data":1657,"content":1658,"nodeType":281},{},[1659],{"data":1660,"marks":1661,"value":1662,"nodeType":248},{},[],"The other great advantage with this is that it’s difficult to see which user is actually responsible for the spoofing. If a compromised user account is used to send spoofed messages, not only may the real employee see the messages and alert security, but if the messages are investigated by a target or the security team, it’s quick to click on the user and see the real email address associated with the account. ",{"data":1664,"content":1665,"nodeType":281},{},[1666,1670,1675],{"data":1667,"marks":1668,"value":1669,"nodeType":248},{},[],"However, when it’s done with a bot token for an app, ",{"data":1671,"marks":1672,"value":1674,"nodeType":248},{},[1673],{"type":1325},"you can only see the Slack app that was responsible, not the actual user account it originated from",{"data":1676,"marks":1677,"value":1678,"nodeType":248},{},[],":",{"data":1680,"content":1684,"nodeType":499},{"target":1681},{"sys":1682},{"id":1683,"type":269,"linkType":270},"62F3HPZdrQqBrUDV47pjjL",[],{"data":1686,"content":1690,"nodeType":499},{"target":1687},{"sys":1688},{"id":1689,"type":269,"linkType":270},"7A8Run1271YslWTHNBqhc",[],{"data":1692,"content":1693,"nodeType":528},{},[1694],{"data":1695,"marks":1696,"value":1697,"nodeType":248},{},[],"Automated phishing replies",{"data":1699,"content":1700,"nodeType":281},{},[1701],{"data":1702,"marks":1703,"value":1704,"nodeType":248},{},[],"Ok, so we’ve just seen how you can internally spoof a message via a Slack app in a way that’s harder to track back to the original compromised user account and also achieve persistence at the same time. Pretty neat! But can we do more?",{"data":1706,"content":1707,"nodeType":281},{},[1708],{"data":1709,"marks":1710,"value":1711,"nodeType":248},{},[],"One of the great features of IM apps is the fact they are…well…instant! By making a slightly more sophisticated scenario with make.com, we can monitor public channels for messages that meet certain criteria and then immediately spoof a target phishing link as a reply. Phishing where the target is the one to reach out originally is much more likely to be successful as it’s more like a watering hole attack - the phishing message itself won’t be seen as unsolicited.",{"data":1713,"content":1714,"nodeType":281},{},[1715],{"data":1716,"marks":1717,"value":1718,"nodeType":248},{},[],"For example, let’s consider a scenario where someone has forgotten their password, or some other common IT support request, and they raise a question on a Slack channel about it. We could monitor for that and automatically respond. ",{"data":1720,"content":1721,"nodeType":281},{},[1722],{"data":1723,"marks":1724,"value":1725,"nodeType":248},{},[],"One caveat here is make.com requires we use a user token for the message monitoring part and therefore this attack couldn’t survive a deactivated/deleted Slack user account. However, it will still survive password changes and so is still a useful persistence option too. Additionally, the bot token can still be used for the message sending component in order to mask the source of the attack as above. ",{"data":1727,"content":1731,"nodeType":499},{"target":1728},{"sys":1729},{"id":1730,"type":269,"linkType":270},"4AdugwjwhzK5gdxojpqDwn",[],{"data":1733,"content":1734,"nodeType":281},{},[1735],{"data":1736,"marks":1737,"value":1738,"nodeType":248},{},[],"In this case, we have configured a Slack module to watch public channel messages using a user token and apply a filter on those containing the words “password” and “reset”. If that is the case, we then trigger a spoofed threaded reply using the bot token and impersonating an “IT bot” and giving a link to documentation for how to perform a self-service password request. ",{"data":1740,"content":1741,"nodeType":281},{},[1742,1746,1754],{"data":1743,"marks":1744,"value":1745,"nodeType":248},{},[],"This makes use of the same link preview spoofing techniques we covered in the ",{"data":1747,"content":1750,"nodeType":277},{"target":1748},{"sys":1749},{"id":1211,"type":269,"linkType":270},[1751],{"data":1752,"marks":1753,"value":1217,"nodeType":248},{},[],{"data":1755,"marks":1756,"value":1757,"nodeType":248},{},[]," and the actual link will present a fake Google login page to harvest credentials.  ",{"data":1759,"content":1763,"nodeType":499},{"target":1760},{"sys":1761},{"id":1762,"type":269,"linkType":270},"6BuFqoDtaUGpz48ANXRDJu",[],{"data":1765,"content":1766,"nodeType":281},{},[1767],{"data":1768,"marks":1769,"value":1770,"nodeType":248},{},[],"Here’s a quick video demonstrating this combination of user spoofing, link preview spoofing and a shadow workflow in action:",{"data":1772,"content":1776,"nodeType":499},{"target":1773},{"sys":1774},{"id":1775,"type":269,"linkType":270},"2PYOjiz7DIRKqdYuushsqB",[],{"data":1778,"content":1779,"nodeType":281},{},[1780],{"data":1781,"marks":1782,"value":1783,"nodeType":248},{},[],"To summarize, heres a diagram to show how this all fits together:",{"data":1785,"content":1789,"nodeType":499},{"target":1786},{"sys":1787},{"id":1788,"type":269,"linkType":270},"6BsctEd635MRwcuzpOhx1V",[],{"data":1791,"content":1792,"nodeType":528},{},[1793],{"data":1794,"marks":1795,"value":1796,"nodeType":248},{},[],"Multi-party spoofing",{"data":1798,"content":1799,"nodeType":281},{},[1800],{"data":1801,"marks":1802,"value":1803,"nodeType":248},{},[],"Another great possibility provided from using Slack apps and bot tokens for spoofing is the ability to spoof inline with existing communications as multiple parties. Ordinarily, if a Slack user kept changing their name, handle and photo for spoofing internally, Slack would change all existing messages to the latest profile data every time. That makes it hard to spoof multiple identities in short time windows and so an attacker could only really spoof one person at a time. However, with Slack apps you can inject messages as different people at different points of a conversation using bot tokens.",{"data":1805,"content":1806,"nodeType":281},{},[1807],{"data":1808,"marks":1809,"value":1810,"nodeType":248},{},[],"Consider the following example, where I’m using my own internal account to message the CFO about paying a malicious invoice that I have hypothetically raised. Perhaps they then indicate approval is needed from another party, in this case the CEO. Similarly, this might be a common process for access requests requiring manager approval and many other business processes. ",{"data":1812,"content":1813,"nodeType":281},{},[1814],{"data":1815,"marks":1816,"value":1817,"nodeType":248},{},[],"In this case, I’m able to quickly spoof a message as another user to act as the approval in a manner that is pretty sneaky. The only giveaway at first glance is the “APP” tag after the spoofed message.",{"data":1819,"content":1823,"nodeType":499},{"target":1820},{"sys":1821},{"id":1822,"type":269,"linkType":270},"0Qrre7ZeVsFu1usSSyNS8",[],{"data":1825,"content":1826,"nodeType":281},{},[1827],{"data":1828,"marks":1829,"value":1830,"nodeType":248},{},[],"This is just one example but the ability to spoof multiple identities simultaneously from just one compromised account on what is usually seen as a trusted internal communications system really opens up a ton of possibilities for social engineering attacks focused on lateral movement. ",{"data":1832,"content":1835,"nodeType":499},{"target":1833},{"sys":1834},{"id":1020,"type":269,"linkType":270},[],{"data":1837,"content":1838,"nodeType":371},{},[1839],{"data":1840,"marks":1841,"value":911,"nodeType":248},{},[],{"data":1843,"content":1844,"nodeType":281},{},[1845],{"data":1846,"marks":1847,"value":1848,"nodeType":248},{},[],"After two whole posts on attacking Slack, covering both external attacks during the initial access phase and internal attacks in the persistence and lateral movement phases, we’ve covered a serious amount of ground! ",{"data":1850,"content":1851,"nodeType":281},{},[1852],{"data":1853,"marks":1854,"value":1855,"nodeType":248},{},[],"It’s worth taking a step back and considering the key impact points:",{"data":1857,"content":1858,"nodeType":335},{},[1859,1868,1877,1886,1895,1928],{"data":1860,"content":1861,"nodeType":313},{},[1862],{"data":1863,"content":1864,"nodeType":281},{},[1865],{"data":1866,"marks":1867,"value":931,"nodeType":248},{},[],{"data":1869,"content":1870,"nodeType":313},{},[1871],{"data":1872,"content":1873,"nodeType":281},{},[1874],{"data":1875,"marks":1876,"value":941,"nodeType":248},{},[],{"data":1878,"content":1879,"nodeType":313},{},[1880],{"data":1881,"content":1882,"nodeType":281},{},[1883],{"data":1884,"marks":1885,"value":951,"nodeType":248},{},[],{"data":1887,"content":1888,"nodeType":313},{},[1889],{"data":1890,"content":1891,"nodeType":281},{},[1892],{"data":1893,"marks":1894,"value":961,"nodeType":248},{},[],{"data":1896,"content":1897,"nodeType":313},{},[1898,1905],{"data":1899,"content":1900,"nodeType":281},{},[1901],{"data":1902,"marks":1903,"value":1904,"nodeType":248},{},[],"Slack apps, and especially bot tokens, can be used for very effective persistence techniques. Some examples:",{"data":1906,"content":1907,"nodeType":335},{},[1908,1918],{"data":1909,"content":1910,"nodeType":313},{},[1911],{"data":1912,"content":1913,"nodeType":281},{},[1914],{"data":1915,"marks":1916,"value":1917,"nodeType":248},{},[],"It’s possible to read all messages even after a compromised user changes their password",{"data":1919,"content":1920,"nodeType":313},{},[1921],{"data":1922,"content":1923,"nodeType":281},{},[1924],{"data":1925,"marks":1926,"value":1927,"nodeType":248},{},[],"It’s possible to send (and spoof) messages even if the compromised user account is deleted (e.g. a disgruntled employee who is fired)",{"data":1929,"content":1930,"nodeType":313},{},[1931,1938],{"data":1932,"content":1933,"nodeType":281},{},[1934],{"data":1935,"marks":1936,"value":1937,"nodeType":248},{},[],"Slack apps and shadow workflows can be used to conduct some fairly advanced social engineering attacks once an attack has a foothold on a Slack tenant. Some examples:",{"data":1939,"content":1940,"nodeType":335},{},[1941,1951],{"data":1942,"content":1943,"nodeType":313},{},[1944],{"data":1945,"content":1946,"nodeType":281},{},[1947],{"data":1948,"marks":1949,"value":1950,"nodeType":248},{},[],"Automatically phishing employees in response to common IT support questions",{"data":1952,"content":1953,"nodeType":313},{},[1954],{"data":1955,"content":1956,"nodeType":281},{},[1957],{"data":1958,"marks":1959,"value":1960,"nodeType":248},{},[],"Multi-party spoofing for advanced social engineering",{"data":1962,"content":1963,"nodeType":371},{},[1964],{"data":1965,"marks":1966,"value":968,"nodeType":248},{},[],{"data":1968,"content":1969,"nodeType":281},{},[1970],{"data":1971,"marks":1972,"value":975,"nodeType":248},{},[],{"data":1974,"content":1975,"nodeType":281},{},[1976],{"data":1977,"marks":1978,"value":1979,"nodeType":248},{},[],"This also means organizations reliant on traditional email security gateways and email-based phishing training are likely to see the effectiveness of these controls decrease if attacks shift to the IM apps. ",{"data":1981,"content":1982,"nodeType":281},{},[1983],{"data":1984,"marks":1985,"value":1986,"nodeType":248},{},[],"In this article, we highlighted a number of spoofing, phishing and persistence techniques that can be employed by an attacker with a foothold that has compromised an internal account on a Slack tenant in order to persist their access and perform lateral movement. In the previous article, we covered spoofing and phishing techniques that could be used by external attackers in the initial access phase to get that first foothold in the first place.",{"data":1988,"content":1989,"nodeType":281},{},[1990],{"data":1991,"marks":1992,"value":996,"nodeType":248},{},[],"In this post, we're going to demonstrate how to phish via Slack to gain persistence and move laterally. ",{"items":1995},[1996,2000],{"sys":1997,"name":1999},{"id":1998},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"sys":2001,"name":2003},{"id":2002},"3pjES4THCIfSAwhGdNwBcy","Browser security",{"items":2005},[2006],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":2007},{"url":236},{"__typename":1035,"sys":2009,"content":2010,"title":1036,"synopsis":2018,"hashTags":62,"publishedDate":2895,"slug":1037,"tagsCollection":2896,"authorsCollection":2904},{"id":268},{"json":2011},{"nodeType":1028,"data":2012,"content":2013},{},[2014,2021,2028,2060,2067,2074,2093,2100,2107,2114,2144,2151,2158,2174,2181,2188,2222,2229,2236,2243,2250,2257,2263,2270,2277,2284,2292,2299,2319,2326,2333,2340,2347,2354,2361,2368,2375,2382,2388,2395,2415,2422,2441,2447,2453,2459,2466,2473,2480,2486,2492,2499,2506,2513,2520,2527,2533,2553,2573,2580,2586,2592,2599,2606,2613,2620,2643,2649,2655,2662,2669,2676,2688,2694,2701,2707,2713,2720,2727,2734,2740,2746,2752,2759,2875,2881,2888],{"nodeType":281,"data":2015,"content":2016},{},[2017],{"nodeType":248,"value":2018,"marks":2019,"data":2020},"In this article, we’re going to demonstrate how combining two of our favorite new SaaS attack techniques makes a simple, but very stealthy persistence approach.",[],{},{"nodeType":281,"data":2022,"content":2023},{},[2024],{"nodeType":248,"value":2025,"marks":2026,"data":2027},"—----",[],{},{"nodeType":281,"data":2029,"content":2030},{},[2031,2035,2042,2045,2056],{"nodeType":248,"value":2032,"marks":2033,"data":2034},"This is the second post in a series on attack chains formed by combining techniques in the ",[],{},{"nodeType":259,"data":2036,"content":2037},{"uri":251},[2038],{"nodeType":248,"value":258,"marks":2039,"data":2041},[2040],{"type":257},{},{"nodeType":248,"value":263,"marks":2043,"data":2044},[],{},{"nodeType":277,"data":2046,"content":2050},{"target":2047},{"sys":2048},{"id":2049,"type":269,"linkType":270},"3F96pyn4qqkbVctSOH69vm",[2051],{"nodeType":248,"value":2052,"marks":2053,"data":2055},"SAMLjacking a poisoned tenant",[2054],{"type":257},{},{"nodeType":248,"value":2057,"marks":2058,"data":2059},". ",[],{},{"nodeType":281,"data":2061,"content":2062},{},[2063],{"nodeType":248,"value":2064,"marks":2065,"data":2066},"This time we’ll be looking at combining shadow workflows with an evil twin integration for an especially sneaky and flexible method of persistence. We’ll be using Zapier integrating with Azure as our primary example. ",[],{},{"nodeType":371,"data":2068,"content":2069},{},[2070],{"nodeType":248,"value":2071,"marks":2072,"data":2073},"What is a shadow workflow?",[],{},{"nodeType":281,"data":2075,"content":2076},{},[2077,2081,2089],{"nodeType":248,"value":2078,"marks":2079,"data":2080},"A ",[],{},{"nodeType":259,"data":2082,"content":2083},{"uri":1302},[2084],{"nodeType":248,"value":2085,"marks":2086,"data":2088},"shadow workflow ",[2087],{"type":257},{},{"nodeType":248,"value":2090,"marks":2091,"data":2092},"is a technique for using SaaS automation apps to provide a code execution-like method for conducting malicious actions from a legitimate source using OAuth integrations. This could be a daily export of files from shared cloud drives, automatic forwarding and deleting of emails, cloning instant messages, exporting user directories — basically anything that is possible using the target app’s API. ",[],{},{"nodeType":281,"data":2094,"content":2095},{},[2096],{"nodeType":248,"value":2097,"marks":2098,"data":2099},"The fact automation apps utilize OAuth integrations means they also function as a very effective method of maintaining persistence. Think of shadow workflows as the offensive PowerShell of the SaaS world. ",[],{},{"nodeType":371,"data":2101,"content":2102},{},[2103],{"nodeType":248,"value":2104,"marks":2105,"data":2106},"What’s an evil twin integration?",[],{},{"nodeType":281,"data":2108,"content":2109},{},[2110],{"nodeType":248,"value":2111,"marks":2112,"data":2113},"Creating a new OAuth integration, even if using a legitimate SaaS application, could be viewed as suspicious if seen by a security team or the affected user. This is especially true if an account compromise is discovered and an IR team sees a consent for a new OAuth integration in the log that the compromised user does not recognize. ",[],{},{"nodeType":281,"data":2115,"content":2116},{},[2117,2121,2130,2134,2140],{"nodeType":248,"value":2118,"marks":2119,"data":2120},"An ",[],{},{"nodeType":259,"data":2122,"content":2124},{"uri":2123},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/evil_twin_integrations/description.md",[2125],{"nodeType":248,"value":2126,"marks":2127,"data":2129},"evil twin integration",[2128],{"type":257},{},{"nodeType":248,"value":2131,"marks":2132,"data":2133},", however, reduces the chances of discovery by reusing an existing ",[],{},{"nodeType":248,"value":2135,"marks":2136,"data":2139},"legitimate",[2137,2138],{"type":1325},{"type":790},{},{"nodeType":248,"value":2141,"marks":2142,"data":2143}," integration for malicious purposes.",[],{},{"nodeType":371,"data":2145,"content":2146},{},[2147],{"nodeType":248,"value":2148,"marks":2149,"data":2150},"What’s the benefit of combining them?",[],{},{"nodeType":281,"data":2152,"content":2153},{},[2154],{"nodeType":248,"value":2155,"marks":2156,"data":2157},"While shadow workflows are incredibly powerful on their own, as malicious use of OAuth integrations becomes more common, security teams will start regularly checking for new, or unknown, integrations in response to security incidents. While automation apps are legitimate SaaS services, shadow workflow attacks could still raise question marks during incident response if it’s connected shortly after a compromise and/or if the affected user has no knowledge of it. ",[],{},{"nodeType":281,"data":2159,"content":2160},{},[2161,2165,2170],{"nodeType":248,"value":2162,"marks":2163,"data":2164},"Additionally, as use of security tools that ",[],{},{"nodeType":248,"value":2166,"marks":2167,"data":2169},"provide visibility of OAuth integrations",[2168],{"type":257},{},{"nodeType":248,"value":2171,"marks":2172,"data":2173}," (check out our product) increases, it will become increasingly dangerous for an adversary to create a new OAuth integration. That’s because the target user and possibly even security teams may be notified.",[],{},{"nodeType":281,"data":2175,"content":2176},{},[2177],{"nodeType":248,"value":2178,"marks":2179,"data":2180},"This leads us on to evil twin integrations. Their power is in making use of existing integrations so they can avoid appearing as a new integration and getting flagged or sending alerts to security teams. That makes them much stealthier and increases the likelihood of a successful attack. ",[],{},{"nodeType":281,"data":2182,"content":2183},{},[2184],{"nodeType":248,"value":2185,"marks":2186,"data":2187},"There are three possibilities here that lead to two different levels of stealth for the attack:",[],{},{"nodeType":2189,"data":2190,"content":2191},"ordered-list",{},[2192,2202,2212],{"nodeType":313,"data":2193,"content":2194},{},[2195],{"nodeType":281,"data":2196,"content":2197},{},[2198],{"nodeType":248,"value":2199,"marks":2200,"data":2201},"Medium stealth option: Making use of an automation app used legitimately by the organization, but not by the target user, specifically",[],{},{"nodeType":313,"data":2203,"content":2204},{},[2205],{"nodeType":281,"data":2206,"content":2207},{},[2208],{"nodeType":248,"value":2209,"marks":2210,"data":2211},"High stealth option 1: Making use of an automation app used legitimately by the target user themselves",[],{},{"nodeType":313,"data":2213,"content":2214},{},[2215],{"nodeType":281,"data":2216,"content":2217},{},[2218],{"nodeType":248,"value":2219,"marks":2220,"data":2221},"High stealth option 2: Making use of an automation app that has been granted admin consent",[],{},{"nodeType":528,"data":2223,"content":2224},{},[2225],{"nodeType":248,"value":2226,"marks":2227,"data":2228},"Medium stealth option: Pre-existing use by organization",[],{},{"nodeType":281,"data":2230,"content":2231},{},[2232],{"nodeType":248,"value":2233,"marks":2234,"data":2235},"This option is by far the most likely option to be applicable in a real-world situation. Here’s how it works:",[],{},{"nodeType":281,"data":2237,"content":2238},{},[2239],{"nodeType":248,"value":2240,"marks":2241,"data":2242},"The consent for the targeted user will be new and will generate an audit event to show that, but the integration itself will not be new inside the organization and may even be formally approved by the security team already. This will help evade general detection mechanisms as it won’t be seen as a brand new integration at the organization level that requires careful scrutiny. It’s much harder to evaluate new consents on a per-user basis for existing integrations if the organization is of any significant size.",[],{},{"nodeType":281,"data":2244,"content":2245},{},[2246],{"nodeType":248,"value":2247,"marks":2248,"data":2249},"The downside, however, is that this attack stands a greater chance of detection if notifications are delivered directly to the affected user. Alternatively, if the original compromise is discovered, incident responders are more likely to discover this consent during an investigation. That’s because the affected user would know they aren’t using the automation app and incident responders are likely to explore logs showing consents to new OAuth integrations and permissions shortly after a successful compromise.",[],{},{"nodeType":281,"data":2251,"content":2252},{},[2253],{"nodeType":248,"value":2254,"marks":2255,"data":2256},"Using Azure as an example, while no new service principal is created in this case, the audit logs still show a new consent for the targeted user to the existing Zapier app: ",[],{},{"nodeType":499,"data":2258,"content":2262},{"target":2259},{"sys":2260},{"id":2261,"type":269,"linkType":270},"7m0E0sOulc348jhQguQLb1",[],{"nodeType":528,"data":2264,"content":2265},{},[2266],{"nodeType":248,"value":2267,"marks":2268,"data":2269},"High stealth option 1: Pre-existing use by targeted user",[],{},{"nodeType":281,"data":2271,"content":2272},{},[2273],{"nodeType":248,"value":2274,"marks":2275,"data":2276},"This is the holy grail option, but is likely to require more luck in the real world. It requires that the target user is already using an automation app, which the adversary could compromise and utilize. If the compromised user has already consented to permissions useful to the adversary, such as access to sensitive data like email and file stores, then new malicious workflows can be created without requiring the user to consent to new permissions. ",[],{},{"nodeType":281,"data":2278,"content":2279},{},[2280],{"nodeType":248,"value":2281,"marks":2282,"data":2283},"Consequently, there will be no new integration observed at the organization level, no new user-specific consents for sensitive permissions and the target user would indicate they’re just using a legitimate app if questioned by incident responders. ",[],{},{"nodeType":281,"data":2285,"content":2286},{},[2287],{"nodeType":248,"value":2288,"marks":2289,"data":2291},"None of the three audit log entries shown above would be present in this scenario either.",[2290],{"type":790},{},{"nodeType":528,"data":2293,"content":2294},{},[2295],{"nodeType":248,"value":2296,"marks":2297,"data":2298},"High stealth option 2: Azure admin consented app",[],{},{"nodeType":281,"data":2300,"content":2301},{},[2302,2306,2315],{"nodeType":248,"value":2303,"marks":2304,"data":2305},"There is a mixed scenario when permissions for an automation app (or any app you want to use for an evil twin integration) have been granted tenant-wide ",[],{},{"nodeType":259,"data":2307,"content":2309},{"uri":2308},"https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/user-admin-consent-overview#admin-consent",[2310],{"nodeType":248,"value":2311,"marks":2312,"data":2314},"admin consent in Azure",[2313],{"type":257},{},{"nodeType":248,"value":2316,"marks":2317,"data":2318},". In this case, the administrator has effectively consented to permissions for all users, even if they aren’t currently active users of the app. ",[],{},{"nodeType":281,"data":2320,"content":2321},{},[2322],{"nodeType":248,"value":2323,"marks":2324,"data":2325},"This means when a new user integrates the app, it does not generate a new permission grant since it is effectively already granted. Consequently, the three log entries shown above would not be present in this scenario even if integrating the app for a user that has never used it before.",[],{},{"nodeType":281,"data":2327,"content":2328},{},[2329],{"nodeType":248,"value":2330,"marks":2331,"data":2332},"This gives the best level of flexibility for an adversary as they can avoid generating new permission grant logs for any user. However, it's not quite as stealthy as when the targeted user already makes use of the app as there is no history of legitimate app logins or activity for the user prior to the compromise to blend in with.",[],{},{"nodeType":371,"data":2334,"content":2335},{},[2336],{"nodeType":248,"value":2337,"marks":2338,"data":2339},"An example attack - Zapier",[],{},{"nodeType":281,"data":2341,"content":2342},{},[2343],{"nodeType":248,"value":2344,"marks":2345,"data":2346},"In this case, we’re going to use Zapier as our automation app example and Azure as the primary target for integrations and there will be no admin consent involved. We’ll also be using Google Workspace for data exfiltration. There are many other examples we could have used here, though - Make.com, IFTTT, Retool, Tines, Microsoft Power Automate and many other SaaS apps have powerful automation and integration capabilities and could be used for similar purposes. ",[],{},{"nodeType":281,"data":2348,"content":2349},{},[2350],{"nodeType":248,"value":2351,"marks":2352,"data":2353},"Azure and Google Workspace are also obvious juicy targets for integrations, but automation apps support integrations with vast numbers of other SaaS applications,so there are many possible targets.",[],{},{"nodeType":281,"data":2355,"content":2356},{},[2357],{"nodeType":248,"value":2358,"marks":2359,"data":2360},"So, let’s say we’ve compromised a target user’s Azure account. Perhaps we have conducted a successful credential stuffing attack, a phishing attack including MFA code proxying or even achieved a traditional endpoint compromise and have stolen the user’s session tokens.",[],{},{"nodeType":281,"data":2362,"content":2363},{},[2364],{"nodeType":248,"value":2365,"marks":2366,"data":2367},"Whatever the case, we have temporary control of the user’s account, either until the session expires or the user changes their password. If the original compromise is detected, that could happen quickly, so we want to conduct some malicious actions to make use of the access while we have it and to also gain persistence so we maintain our access beyond a password change.",[],{},{"nodeType":281,"data":2369,"content":2370},{},[2371],{"nodeType":248,"value":2372,"marks":2373,"data":2374},"We want to use an automation app, but we’d prefer to be as stealthy as possible by also making it an evil twin integration. We’d like to see if the target user has existing integrations with any apps we’d like to use - especially an automation app for that high stealth option we mentioned above. ",[],{},{"nodeType":281,"data":2376,"content":2377},{},[2378],{"nodeType":248,"value":2379,"marks":2380,"data":2381},"We’ve created a video demo of the full attack below. A step by step write up with more detail then follows:",[],{},{"nodeType":499,"data":2383,"content":2387},{"target":2384},{"sys":2385},{"id":2386,"type":269,"linkType":270},"E1ZHBcjGLZAno0SRtJ3d3",[],{"nodeType":371,"data":2389,"content":2390},{},[2391],{"nodeType":248,"value":2392,"marks":2393,"data":2394},"Step 1 - Enumerating potential targets",[],{},{"nodeType":281,"data":2396,"content":2397},{},[2398,2402,2411],{"nodeType":248,"value":2399,"marks":2400,"data":2401},"We could perform something as simple as an email search for evidence of sign-ups, but that won’t necessarily show us if actual OAuth integrations have been configured and what permissions are in use. What we really need is a way to perform an ",[],{},{"nodeType":259,"data":2403,"content":2405},{"uri":2404},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/oauth_token_enumeration/description.md",[2406],{"nodeType":248,"value":2407,"marks":2408,"data":2410},"OAuth token enumeration",[2409],{"type":257},{},{"nodeType":248,"value":2412,"marks":2413,"data":2414}," attack.",[],{},{"nodeType":528,"data":2416,"content":2417},{},[2418],{"nodeType":248,"value":2419,"marks":2420,"data":2421},"The first method: myapps.microsoft.com",[],{},{"nodeType":281,"data":2423,"content":2424},{},[2425,2429,2437],{"nodeType":248,"value":2426,"marks":2427,"data":2428},"Make use of ",[],{},{"nodeType":259,"data":2430,"content":2432},{"uri":2431},"https://myapps.microsoft.com",[2433],{"nodeType":248,"value":2431,"marks":2434,"data":2436},[2435],{"type":257},{},{"nodeType":248,"value":2438,"marks":2439,"data":2440}," to see which apps are listed and which permissions have been granted. We can see Zapier is in use and the user has granted it access to their email and files, making it a great target.",[],{},{"nodeType":499,"data":2442,"content":2446},{"target":2443},{"sys":2444},{"id":2445,"type":269,"linkType":270},"6dDez7xRZjliEJR6DAkWHa",[],{"nodeType":499,"data":2448,"content":2452},{"target":2449},{"sys":2450},{"id":2451,"type":269,"linkType":270},"7M0imWv4n3z1RYQu3AdMF5",[],{"nodeType":499,"data":2454,"content":2458},{"target":2455},{"sys":2456},{"id":2457,"type":269,"linkType":270},"3fwFBK03tc5g064k0IyADO",[],{"nodeType":528,"data":2460,"content":2461},{},[2462],{"nodeType":248,"value":2463,"marks":2464,"data":2465},"The second method: Microsoft’s graph API",[],{},{"nodeType":281,"data":2467,"content":2468},{},[2469],{"nodeType":248,"value":2470,"marks":2471,"data":2472},"\nMicrosoft’s graph API doesn’t make it possible to list out service principals without admin permissions, but you can enumerate individual OAuth permission grants and app role assignments for your own user account. ",[],{},{"nodeType":281,"data":2474,"content":2475},{},[2476],{"nodeType":248,"value":2477,"marks":2478,"data":2479},"The client ID listed for permission grants is actually the tenant-specific service principal ID, rather than the globally unique OAuth app ID, but the app role assignments call gives us the app display name. We can match up the IDs from the app role assignments with the OAuth permission grants to see which permissions have been granted to the given app. ",[],{},{"nodeType":499,"data":2481,"content":2485},{"target":2482},{"sys":2483},{"id":2484,"type":269,"linkType":270},"519mlRMbaZYBAVdSADwop7",[],{"nodeType":499,"data":2487,"content":2491},{"target":2488},{"sys":2489},{"id":2490,"type":269,"linkType":270},"3g4WBQBEvqx5mXXnZzZzUG",[],{"nodeType":371,"data":2493,"content":2494},{},[2495],{"nodeType":248,"value":2496,"marks":2497,"data":2498},"Step 2 - Create shadow workflows",[],{},{"nodeType":281,"data":2500,"content":2501},{},[2502],{"nodeType":248,"value":2503,"marks":2504,"data":2505},"Ok, so we’ve figured out the user already makes use of Zapier and they’ve even already granted access to their email and files - that’s a juicy target we can’t turn down! So the next step is to create our own malicious workflows, or shadow workflows if you will, to get Zapier to do our dirty work for us.",[],{},{"nodeType":281,"data":2507,"content":2508},{},[2509],{"nodeType":248,"value":2510,"marks":2511,"data":2512},"First of all, we’ll see if we can scope out the user’s existing Zapier account to better understand the setup. Then we’ll create a new Zapier account and link it to the target user’s account that we’ve compromised. Here’s how that would work:",[],{},{"nodeType":528,"data":2514,"content":2515},{},[2516],{"nodeType":248,"value":2517,"marks":2518,"data":2519},"Scope out the existing Zapier account",[],{},{"nodeType":281,"data":2521,"content":2522},{},[2523],{"nodeType":248,"value":2524,"marks":2525,"data":2526},"If the user uses SSO or social logins then we can login directly and, since we now control their Azure account, we can just log directly into their Zapier account!",[],{},{"nodeType":499,"data":2528,"content":2532},{"target":2529},{"sys":2530},{"id":2531,"type":269,"linkType":270},"5IgmxUEm6n19OBL1cSZVkr",[],{"nodeType":281,"data":2534,"content":2535},{},[2536,2540,2549],{"nodeType":248,"value":2537,"marks":2538,"data":2539},"Alternatively, if they have created a standard password account, then we might already know the password if it’s the same used for their Azure account. Otherwise, we could potentially make use of an ",[],{},{"nodeType":259,"data":2541,"content":2543},{"uri":2542},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/account_recovery/description.md",[2544],{"nodeType":248,"value":2545,"marks":2546,"data":2548},"account recovery",[2547],{"type":257},{},{"nodeType":248,"value":2550,"marks":2551,"data":2552}," attack to gain access.",[],{},{"nodeType":281,"data":2554,"content":2555},{},[2556,2560,2569],{"nodeType":248,"value":2557,"marks":2558,"data":2559},"Once we have logged into their account, we can see their existing workflows and integrations. Technically, we could backdoor these or create new ones - a form of an ",[],{},{"nodeType":259,"data":2561,"content":2563},{"uri":2562},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/abuse_existing_oauth_integrations/description.md",[2564],{"nodeType":248,"value":2565,"marks":2566,"data":2568},"abuse existing OAuth integrations",[2567],{"type":257},{},{"nodeType":248,"value":2570,"marks":2571,"data":2572}," attack. However, that runs the risk of the user discovering our shadow workflows and also almost certainly being locked out of the account during the next password change. ",[],{},{"nodeType":281,"data":2574,"content":2575},{},[2576],{"nodeType":248,"value":2577,"marks":2578,"data":2579},"Instead, we can stick to an evil twin integration from our own Zapier account, which we’ll create later.",[],{},{"nodeType":499,"data":2581,"content":2585},{"target":2582},{"sys":2583},{"id":2584,"type":269,"linkType":270},"2vhyTcVLq27QVa2HFFWBhH",[],{"nodeType":499,"data":2587,"content":2591},{"target":2588},{"sys":2589},{"id":2590,"type":269,"linkType":270},"3jPSdBPSQgigA4yKK1udCV",[],{"nodeType":281,"data":2593,"content":2594},{},[2595],{"nodeType":248,"value":2596,"marks":2597,"data":2598},"Now we can see what the user was actually using Zapier for — they’ve set up an integration with both Outlook and OneDrive so they can forward emails related to their business expenses to a folder in their OneDrive. Probably a time-saving hack, which we can take advantage of since it won’t be unusual to see Zapier regularly accessing their Outlook and OneDrive. That means our attack will be extra stealthy.",[],{},{"nodeType":528,"data":2600,"content":2601},{},[2602],{"nodeType":248,"value":2603,"marks":2604,"data":2605},"Create our own malicious Zapier account",[],{},{"nodeType":281,"data":2607,"content":2608},{},[2609],{"nodeType":248,"value":2610,"marks":2611,"data":2612},"Given in this case we, at least temporarily, control the user’s Azure account there is nothing stopping us connecting this to our own malicious Zapier account completely separately from the user’s legitimate Zapier account. We then maintain full control over the Zapier account and the user will not be able to discover our shadow workflows as they won’t have any knowledge of our Zapier account: ",[],{},{"nodeType":281,"data":2614,"content":2615},{},[2616],{"nodeType":248,"value":2617,"marks":2618,"data":2619},"Let’s create our own shadow workflows:",[],{},{"nodeType":335,"data":2621,"content":2622},{},[2623,2633],{"nodeType":313,"data":2624,"content":2625},{},[2626],{"nodeType":281,"data":2627,"content":2628},{},[2629],{"nodeType":248,"value":2630,"marks":2631,"data":2632},"One that sends every new OneDrive file to our own separate Google Drive account. This allows us to maintain a complete view of the user’s files into the future. ",[],{},{"nodeType":313,"data":2634,"content":2635},{},[2636],{"nodeType":281,"data":2637,"content":2638},{},[2639],{"nodeType":248,"value":2640,"marks":2641,"data":2642},"And one to forward every new Outlook email to our own GMail account.",[],{},{"nodeType":499,"data":2644,"content":2648},{"target":2645},{"sys":2646},{"id":2647,"type":269,"linkType":270},"6eK8uNjPnkrfVjgFzl03SM",[],{"nodeType":499,"data":2650,"content":2654},{"target":2651},{"sys":2652},{"id":2653,"type":269,"linkType":270},"6xJvuS374tbflAoNmhnqYP",[],{"nodeType":281,"data":2656,"content":2657},{},[2658],{"nodeType":248,"value":2659,"marks":2660,"data":2661},"We can now see we are logged in with a separate GMail account, but have created shadow workflows to forward emails from the user’s Outlook to our GMail account and harvest files from their OneDrive to our Google Drive.",[],{},{"nodeType":281,"data":2663,"content":2664},{},[2665],{"nodeType":248,"value":2666,"marks":2667,"data":2668},"The major benefit of creating our own Zapier account for an evil twin integration is that once we are locked out of the target user’s account via a password change or otherwise, not only do our existing shadow workflows continue to operate via OAuth, but we are able to create new shadow workflows and reuse the existing OAuth connections. That’s the power of having full control of the Zapier account. ",[],{},{"nodeType":281,"data":2670,"content":2671},{},[2672],{"nodeType":248,"value":2673,"marks":2674,"data":2675},"One small downside to this approach is that creating the new OAuth integrations inside a new Zapier account generates an interactive login event for the Zapier integrations from the adversary’s IP address. This occurs due to creating integrations from the new Zapier account, but because the user has already consented to all the relevant permissions for Zapier’s own OAuth apps there are no audit logs for new consents or applications, just the login event itself. ",[],{},{"nodeType":281,"data":2677,"content":2678},{},[2679,2683],{"nodeType":248,"value":2680,"marks":2681,"data":2682},"However, determining that a successful login to an app a user legitimately uses is actually malicious in this case is obviously extremely difficult to build detection logic for.   ",[],{},{"nodeType":248,"value":2684,"marks":2685,"data":2687}," ",[2686],{"type":1325},{},{"nodeType":499,"data":2689,"content":2693},{"target":2690},{"sys":2691},{"id":2692,"type":269,"linkType":270},"1oZBtlL8rNl7TjmfJqRjUG",[],{"nodeType":281,"data":2695,"content":2696},{},[2697],{"nodeType":248,"value":2698,"marks":2699,"data":2700},"Beyond the initial login events, the only evidence of malicious activity in the future will be from the activity logs showing the actions conducted by our shadow workflows every time they are triggered to run. For example, the following screenshots show that the Zapier Todo app (ClientAppId 29246358-1970-4d6d-bc75-acf34edc758b) has been seen both uploading a file and downloading a file: \n",[],{},{"nodeType":499,"data":2702,"content":2706},{"target":2703},{"sys":2704},{"id":2705,"type":269,"linkType":270},"2vYOSilB5W05aIHw2ZKqdC",[],{"nodeType":499,"data":2708,"content":2712},{"target":2709},{"sys":2710},{"id":2711,"type":269,"linkType":270},"2fFwrdFO25BwY4vI7EKMA0",[],{"nodeType":281,"data":2714,"content":2715},{},[2716],{"nodeType":248,"value":2717,"marks":2718,"data":2719},"The file upload in this case relates to the legitimate workflow and the file download relates to the shadow workflow. The IP addresses relate to Zapier’s legitimate infrastructure so really only a very thorough and specific investigation is going to be able to uncover that one of these events is malicious.",[],{},{"nodeType":371,"data":2721,"content":2722},{},[2723],{"nodeType":248,"value":2724,"marks":2725,"data":2726},"Step 3 - Profit",[],{},{"nodeType":281,"data":2728,"content":2729},{},[2730],{"nodeType":248,"value":2731,"marks":2732,"data":2733},"Now we just need to sit back and let our shadow workflows do the work for us, 24/7 and from Zapier’s infrastructure via a legitimate OAuth integration. Here we can see files the user created in OneDrive and emails they received in Outlook mirrored to our own GMail and Google Drive via the magic of shadow workflows.",[],{},{"nodeType":499,"data":2735,"content":2739},{"target":2736},{"sys":2737},{"id":2738,"type":269,"linkType":270},"4lJBrdJLEVnhBUjgtGo8T1",[],{"nodeType":499,"data":2741,"content":2745},{"target":2742},{"sys":2743},{"id":2744,"type":269,"linkType":270},"azQ3IO0n4Idih5LDwOogV",[],{"nodeType":371,"data":2747,"content":2748},{},[2749],{"nodeType":248,"value":911,"marks":2750,"data":2751},[],{},{"nodeType":281,"data":2753,"content":2754},{},[2755],{"nodeType":248,"value":2756,"marks":2757,"data":2758},"Ok, we’ve covered a lot of ground here so it’s worth taking a step back and considering the key impact points of this attack chain:",[],{},{"nodeType":335,"data":2760,"content":2761},{},[2762,2772,2782,2792,2802,2855,2865],{"nodeType":313,"data":2763,"content":2764},{},[2765],{"nodeType":281,"data":2766,"content":2767},{},[2768],{"nodeType":248,"value":2769,"marks":2770,"data":2771},"An adversary who has gained (temporary) access to a user account that supports OAuth integrations can use shadow workflows to execute malicious actions and to maintain persistence",[],{},{"nodeType":313,"data":2773,"content":2774},{},[2775],{"nodeType":281,"data":2776,"content":2777},{},[2778],{"nodeType":248,"value":2779,"marks":2780,"data":2781},"This access will continue even if the user changes their password or resets MFA",[],{},{"nodeType":313,"data":2783,"content":2784},{},[2785],{"nodeType":281,"data":2786,"content":2787},{},[2788],{"nodeType":248,"value":2789,"marks":2790,"data":2791},"Not only do existing shadow workflows continue to work after password changes, an adversary can continue to create new ones and reuse the existing integrations.",[],{},{"nodeType":313,"data":2793,"content":2794},{},[2795],{"nodeType":281,"data":2796,"content":2797},{},[2798],{"nodeType":248,"value":2799,"marks":2800,"data":2801},"Any relevant logs will show access via legitimate IP addresses and OAuth integrations for SaaS automation apps ",[],{},{"nodeType":313,"data":2803,"content":2804},{},[2805,2812],{"nodeType":281,"data":2806,"content":2807},{},[2808],{"nodeType":248,"value":2809,"marks":2810,"data":2811},"Automation apps are so flexible that an adversary can do pretty much anything - it’s basically the offensive PowerShell of the SaaS world. Just some examples:",[],{},{"nodeType":335,"data":2813,"content":2814},{},[2815,2825,2835,2845],{"nodeType":313,"data":2816,"content":2817},{},[2818],{"nodeType":281,"data":2819,"content":2820},{},[2821],{"nodeType":248,"value":2822,"marks":2823,"data":2824},"Monitor all emails and files the user creates",[],{},{"nodeType":313,"data":2826,"content":2827},{},[2828],{"nodeType":281,"data":2829,"content":2830},{},[2831],{"nodeType":248,"value":2832,"marks":2833,"data":2834},"Delete email security alerts before the user sees them",[],{},{"nodeType":313,"data":2836,"content":2837},{},[2838],{"nodeType":281,"data":2839,"content":2840},{},[2841],{"nodeType":248,"value":2842,"marks":2843,"data":2844},"Intercept password reset and passwordless login emails to access other apps",[],{},{"nodeType":313,"data":2846,"content":2847},{},[2848],{"nodeType":281,"data":2849,"content":2850},{},[2851],{"nodeType":248,"value":2852,"marks":2853,"data":2854},"Monitor instant messaging apps and use it to send targeted internal social engineering emails",[],{},{"nodeType":313,"data":2856,"content":2857},{},[2858],{"nodeType":281,"data":2859,"content":2860},{},[2861],{"nodeType":248,"value":2862,"marks":2863,"data":2864},"If targeted users are already using automation apps legitimately, it’s even more stealthy - you won’t even see any new integrations or permission grants appear as the user will have already granted these legitimately.",[],{},{"nodeType":313,"data":2866,"content":2867},{},[2868],{"nodeType":281,"data":2869,"content":2870},{},[2871],{"nodeType":248,"value":2872,"marks":2873,"data":2874},"If admin consent has been granted to the automation app, any user can be targeted without generating new permission grant logs even if they have never used the app.",[],{},{"nodeType":371,"data":2876,"content":2877},{},[2878],{"nodeType":248,"value":968,"marks":2879,"data":2880},[],{},{"nodeType":281,"data":2882,"content":2883},{},[2884],{"nodeType":248,"value":2885,"marks":2886,"data":2887},"We have seen how two new SaaS-focused attack techniques can be combined into one more effective attack chain - in this case, a particularly nasty and stealthy persistence technique. This shows how even if a user compromise is detected very early, with password and MFA resets immediately issued, adversaries can maintain control over the account regardless.",[],{},{"nodeType":281,"data":2889,"content":2890},{},[2891],{"nodeType":248,"value":2892,"marks":2893,"data":2894},"This shows how even legitimate SaaS applications have incredibly powerful offensive use cases and very careful attention needs to be paid to integrations with highly sensitive permissions, even when they are approved and vetted applications. Incident response teams especially need to be well aware of these techniques when investigating potential user account compromises as persistence approaches can extend much further than endpoint implants and stolen passwords.",[],{},"2023-09-11T00:00:00.000Z",{"items":2897},[2898,2900],{"sys":2899,"name":1999},{"id":1998},{"sys":2901,"name":2903},{"id":2902},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"items":2905},[2906],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":2907},{"url":236},{"__typename":1035,"sys":2909,"content":2910,"title":2052,"synopsis":3365,"hashTags":62,"publishedDate":3366,"slug":3367,"tagsCollection":3368,"authorsCollection":3374},{"id":2049},{"json":2911},{"data":2912,"content":2913,"nodeType":1028},{},[2914,2932,2939,2946,2953,2972,2979,2998,3004,3011,3018,3025,3032,3039,3046,3066,3073,3080,3086,3093,3100,3107,3113,3119,3125,3132,3139,3145,3152,3159,3166,3172,3179,3186,3193,3200,3207,3213,3220,3227,3233,3240,3247,3253,3259,3266,3331,3338,3344,3351,3358],{"data":2915,"content":2916,"nodeType":281},{},[2917,2921,2928],{"data":2918,"marks":2919,"value":2920,"nodeType":248},{},[],"We published the ",{"data":2922,"content":2923,"nodeType":259},{"uri":251},[2924],{"data":2925,"marks":2926,"value":258,"nodeType":248},{},[2927],{"type":257},{"data":2929,"marks":2930,"value":2931,"nodeType":248},{},[]," on GitHub, which is an open-source research project to demonstrate the multitude of attacks that are possible against SaaS-native and hybrid SaaS organizations. On release day it contained 38 different techniques. ",{"data":2933,"content":2934,"nodeType":281},{},[2935],{"data":2936,"marks":2937,"value":2938,"nodeType":248},{},[],"However, we know it’s not just individual attack techniques and the phases of the cyber kill chain that matter - it’s also how you chain attacks together. Two lower risk vulnerabilities chained together could be a critical issue.",{"data":2940,"content":2941,"nodeType":281},{},[2942],{"data":2943,"marks":2944,"value":2945,"nodeType":248},{},[],"In this article, we’re going to demonstrate that by combining two of our favorite new SaaS attack techniques, poisoned tenants and SAMLjacking, you can make a simple, but effective attack chain.",{"data":2947,"content":2948,"nodeType":371},{},[2949],{"data":2950,"marks":2951,"value":2952,"nodeType":248},{},[],"What is a poisoned tenant?",{"data":2954,"content":2955,"nodeType":281},{},[2956,2959,2968],{"data":2957,"marks":2958,"value":29,"nodeType":248},{},[],{"data":2960,"content":2962,"nodeType":259},{"uri":2961},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/poisoned_tenants/description.md",[2963],{"data":2964,"marks":2965,"value":2967,"nodeType":248},{},[2966],{"type":257},"Poisoned tenants",{"data":2969,"marks":2970,"value":2971,"nodeType":248},{},[]," involve an adversary registering a tenant for a SaaS app they control and tricking target users to join it, often using built-in invite functionality. The end goal is to have some target users actively using a tenant you (as the adversary) control.",{"data":2973,"content":2974,"nodeType":371},{},[2975],{"data":2976,"marks":2977,"value":2978,"nodeType":248},{},[],"What the hell is SAMLjacking?",{"data":2980,"content":2981,"nodeType":281},{},[2982,2985,2994],{"data":2983,"marks":2984,"value":29,"nodeType":248},{},[],{"data":2986,"content":2988,"nodeType":259},{"uri":2987},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/samljacking/description.md",[2989],{"data":2990,"marks":2991,"value":2993,"nodeType":248},{},[2992],{"type":257},"SAMLjacking",{"data":2995,"marks":2996,"value":2997,"nodeType":248},{},[]," is where an attacker makes use of SAML SSO configuration settings for a SaaS tenant they control in order to redirect users to a malicious link of their choosing during the authentication process. This can be highly effective for phishing as the original URL will be a legitimate SaaS URL and users are expecting to provide credentials.",{"data":2999,"content":3000,"nodeType":371},{},[3001],{"data":3002,"marks":3003,"value":2148,"nodeType":248},{},[],{"data":3005,"content":3006,"nodeType":281},{},[3007],{"data":3008,"marks":3009,"value":3010,"nodeType":248},{},[],"A poisoned tenant on its own could be an epic supply chain attack if you get really lucky. Imagine discovering an organization was wanting to migrate to Slack and then catching some key teams with a Slack poisoned tenant and gradually getting the whole organization migrated over. You’d have a goldmine of information as an administrator of the platform.",{"data":3012,"content":3013,"nodeType":281},{},[3014],{"data":3015,"marks":3016,"value":3017,"nodeType":248},{},[],"However, it might be hard to trick a whole organization into using an attacker controlled slack instance without anyone realizing, but it could be a lot easier to successfully invite e.g. a marketing team into using/adopting a new marketing app that helps them do SEO. This might be easier to perform, but it doesn't really give the attacker valuable data in the poisoned tenant of the marketing app, so it seems a bit pointless.",{"data":3019,"content":3020,"nodeType":281},{},[3021],{"data":3022,"marks":3023,"value":3024,"nodeType":248},{},[],"On the other hand, what about SAMLjacking? It’s a great technique on its own, but you still need to get users to login to the app. Sure, you’ll be sending them a legitimate SaaS URL with a valid TLS certificate etc and so it’s going to pass the sniff test for many people and also bypass email security appliances and similar security tools. However, you’re still effectively phishing them for credentials, the one thing we train users to be most suspicious about, so there is still a possibility they will spot the attack. ",{"data":3026,"content":3027,"nodeType":281},{},[3028],{"data":3029,"marks":3030,"value":3031,"nodeType":248},{},[],"But what if you could combine these techniques so that a poisoned tenant didn’t need to be a big, juicy target to be useful and a SAMLjacking attack didn’t even necessarily require phishing someone directly? What if the attack could be successful just from a target accessing their own bookmarks or open tabs for an app they already use?",{"data":3033,"content":3034,"nodeType":281},{},[3035],{"data":3036,"marks":3037,"value":3038,"nodeType":248},{},[],"In a combination scenario, a user doesn't need to be phished for SAMLjacking. One day they go back to their tab and it's logged out and they get SAMLjacked while logging back in. They don't have to click a link in an email. That’s what we are talking about here, so let’s consider an example of this making use of the SaaS-based wiki, Nuclino.",{"data":3040,"content":3041,"nodeType":371},{},[3042],{"data":3043,"marks":3044,"value":3045,"nodeType":248},{},[],"An example attack - Nuclino",{"data":3047,"content":3048,"nodeType":281},{},[3049,3053,3062],{"data":3050,"marks":3051,"value":3052,"nodeType":248},{},[],"Before moving on, I’d just like to point out that this isn’t a vulnerability with ",{"data":3054,"content":3056,"nodeType":259},{"uri":3055},"https://www.nuclino.com/",[3057],{"data":3058,"marks":3059,"value":3061,"nodeType":248},{},[3060],{"type":257},"Nuclino",{"data":3063,"marks":3064,"value":3065,"nodeType":248},{},[]," per se and it won’t be limited to Nuclino either. I’ve used Nuclino as an example because it’s a great wiki platform we use at Push Security, so I’m familiar with it. ",{"data":3067,"content":3068,"nodeType":281},{},[3069],{"data":3070,"marks":3071,"value":3072,"nodeType":248},{},[],"It also allows custom SAML authentication, both as part of its free trial and as part of its lowest tier paid plan. This should be commended as many SaaS apps don’t support SAML or other forms of SSO, and many of those that do charge a huge premium via enterprise plans to gain access to it. We love you Nuclino, sorry!",{"data":3074,"content":3075,"nodeType":281},{},[3076],{"data":3077,"marks":3078,"value":3079,"nodeType":248},{},[],"We'll take a walkthrough of how the attack chain works now. However, if you'd like to jump straight to a demo of the attack then checkout the video here:",{"data":3081,"content":3085,"nodeType":499},{"target":3082},{"sys":3083},{"id":3084,"type":269,"linkType":270},"3y6ZMPPsbh6PYlQ7IOxOzS",[],{"data":3087,"content":3088,"nodeType":281},{},[3089],{"data":3090,"marks":3091,"value":3092,"nodeType":248},{},[],"Next, we'll do a full walkthrough of the attack.",{"data":3094,"content":3095,"nodeType":528},{},[3096],{"data":3097,"marks":3098,"value":3099,"nodeType":248},{},[],"Step 1 - Setup a poisoned tenant and invite target users",{"data":3101,"content":3102,"nodeType":281},{},[3103],{"data":3104,"marks":3105,"value":3106,"nodeType":248},{},[],"The first step for an adversary is to set up their poisoned tenant and then make use of the invite functionality to target some employees of the target organization. With Nuclino, you can either do this by sending sharing links directly to the target or invite them through the Nuclino app, and it will send out legit email invitations on your behalf.",{"data":3108,"content":3112,"nodeType":499},{"target":3109},{"sys":3110},{"id":3111,"type":269,"linkType":270},"740nQhGSFp2nFU1b4DP7Mp",[],{"data":3114,"content":3118,"nodeType":499},{"target":3115},{"sys":3116},{"id":3117,"type":269,"linkType":270},"4GFL1L7Mmp3nnBODwC9SbH",[],{"data":3120,"content":3124,"nodeType":499},{"target":3121},{"sys":3122},{"id":3123,"type":269,"linkType":270},"7KUWKFFlDyvBVoM3MEhPwR",[],{"data":3126,"content":3127,"nodeType":528},{},[3128],{"data":3129,"marks":3130,"value":3131,"nodeType":248},{},[],"Step 2 - Target responds to the invitation or later signs up for Nuclino",{"data":3133,"content":3134,"nodeType":281},{},[3135],{"data":3136,"marks":3137,"value":3138,"nodeType":248},{},[],"The interesting thing here is that whether the target signs up for Nuclino directly from the joining link or they sign up for an account separately in future, they get mapped to the workspace they have been invited to by default.",{"data":3140,"content":3144,"nodeType":499},{"target":3141},{"sys":3142},{"id":3143,"type":269,"linkType":270},"2GlTHcT1cpQ44jb5lN9dr4",[],{"data":3146,"content":3147,"nodeType":528},{},[3148],{"data":3149,"marks":3150,"value":3151,"nodeType":248},{},[],"Step 3 - Configure a malicious SAML server",{"data":3153,"content":3154,"nodeType":281},{},[3155],{"data":3156,"marks":3157,"value":3158,"nodeType":248},{},[],"Once the adversary has a critical mass of users on their poisoned tenant, they can later engage the SAMLjacking attack. ",{"data":3160,"content":3161,"nodeType":281},{},[3162],{"data":3163,"marks":3164,"value":3165,"nodeType":248},{},[],"To do this, they need to configure a custom SAML server. You can point this to a fake authentication provider they control that mirrors the appearance of the SSO provider the target users are accustomed to using in order to capture credentials.",{"data":3167,"content":3171,"nodeType":499},{"target":3168},{"sys":3169},{"id":3170,"type":269,"linkType":270},"1RbhUTZd5Ak4UvjiZhub4V",[],{"data":3173,"content":3174,"nodeType":281},{},[3175],{"data":3176,"marks":3177,"value":3178,"nodeType":248},{},[],"If you toggle the setting to require SSO, existing users will be sent emails prompting them to link their accounts to SSO. That leads to two possible paths to a user compromise.",{"data":3180,"content":3181,"nodeType":371},{},[3182],{"data":3183,"marks":3184,"value":3185,"nodeType":248},{},[],"Paths to user compromise ",{"data":3187,"content":3188,"nodeType":528},{},[3189],{"data":3190,"marks":3191,"value":3192,"nodeType":248},{},[],"The first possibility",{"data":3194,"content":3195,"nodeType":281},{},[3196],{"data":3197,"marks":3198,"value":3199,"nodeType":248},{},[],"This compromise occurs when the target sees the email that SSO has been configured and clicks the link in order to link their account to SSO. A smart adversary may improve the social engineering quality with an email sent out in advance informing users that the internal security team has requested Nuclino be linked to SSO. This makes the target expect the email and consider it legitimate. ",{"data":3201,"content":3202,"nodeType":281},{},[3203],{"data":3204,"marks":3205,"value":3206,"nodeType":248},{},[],"Even though the email is an official email from Nuclino and the link contained is an official Nuclino URL, it will immediately redirect to the malicious SAML server that has been configured, where credentials can then be captured.",{"data":3208,"content":3212,"nodeType":499},{"target":3209},{"sys":3210},{"id":3211,"type":269,"linkType":270},"6zWiAfBx7aaUeo6t04AtUl",[],{"data":3214,"content":3215,"nodeType":528},{},[3216],{"data":3217,"marks":3218,"value":3219,"nodeType":248},{},[],"Second compromise possibility",{"data":3221,"content":3222,"nodeType":281},{},[3223],{"data":3224,"marks":3225,"value":3226,"nodeType":248},{},[],"If the user ignores the email, the other potential outcome occurs when their session expires and they need to login again to regain access. This is similar to a watering hole attack. When their session expires, the target’s open tabs or bookmarks will redirect back to the workspace specific login page, which will now look like this:",{"data":3228,"content":3232,"nodeType":499},{"target":3229},{"sys":3230},{"id":3231,"type":269,"linkType":270},"580CvVtdyEpqdiK8T1lSfQ",[],{"data":3234,"content":3235,"nodeType":281},{},[3236],{"data":3237,"marks":3238,"value":3239,"nodeType":248},{},[],"Clicking the button to login with SSO will immediately redirect to the malicious SAML server and launch the attack. Alternatively, if the target attempts to login without SSO, the login will fail with an error message telling them to login with SSO.",{"data":3241,"content":3242,"nodeType":281},{},[3243],{"data":3244,"marks":3245,"value":3246,"nodeType":248},{},[],"Either way, once the SAMLjacking has taken effect, they’ll be faced with a familiar-looking SSO login page from a trusted source at a point they are expecting to enter their credentials - something even the most paranoid of users could easily fall for unknowingly. ",{"data":3248,"content":3252,"nodeType":499},{"target":3249},{"sys":3250},{"id":3251,"type":269,"linkType":270},"5eFctGgFywtmhhjaXVraqN",[],{"data":3254,"content":3255,"nodeType":371},{},[3256],{"data":3257,"marks":3258,"value":911,"nodeType":248},{},[],{"data":3260,"content":3261,"nodeType":281},{},[3262],{"data":3263,"marks":3264,"value":3265,"nodeType":248},{},[],"At this point, having compromised multiple user’s Google credentials, an adversary has a lot of options available:",{"data":3267,"content":3268,"nodeType":335},{},[3269,3279,3289,3311],{"data":3270,"content":3271,"nodeType":313},{},[3272],{"data":3273,"content":3274,"nodeType":281},{},[3275],{"data":3276,"marks":3277,"value":3278,"nodeType":248},{},[],"Access all data in Google apps like GMail, Google Drive etc",{"data":3280,"content":3281,"nodeType":313},{},[3282],{"data":3283,"content":3284,"nodeType":281},{},[3285],{"data":3286,"marks":3287,"value":3288,"nodeType":248},{},[],"Access other SaaS apps that use SSO with the same Google account",{"data":3290,"content":3291,"nodeType":313},{},[3292],{"data":3293,"content":3294,"nodeType":281},{},[3295,3299,3308],{"data":3296,"marks":3297,"value":3298,"nodeType":248},{},[],"Access other SaaS apps that use ",{"data":3300,"content":3302,"nodeType":259},{"uri":3301},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/passwordless_logins/description.md",[3303],{"data":3304,"marks":3305,"value":3307,"nodeType":248},{},[3306],{"type":257},"passwordless logins",{"data":3309,"marks":3310,"value":29,"nodeType":248},{},[],{"data":3312,"content":3313,"nodeType":313},{},[3314],{"data":3315,"content":3316,"nodeType":281},{},[3317,3321,3328],{"data":3318,"marks":3319,"value":3320,"nodeType":248},{},[],"Access other SaaS apps via email ",{"data":3322,"content":3323,"nodeType":259},{"uri":2542},[3324],{"data":3325,"marks":3326,"value":2545,"nodeType":248},{},[3327],{"type":257},{"data":3329,"marks":3330,"value":29,"nodeType":248},{},[],{"data":3332,"content":3333,"nodeType":281},{},[3334],{"data":3335,"marks":3336,"value":3337,"nodeType":248},{},[],"Essentially, this can potentially lead to a compromise of every SaaS application accessible by the compromised user - all from the use of a poisoned tenant for an app with no particularly sensitive data or permissions.",{"data":3339,"content":3340,"nodeType":528},{},[3341],{"data":3342,"marks":3343,"value":968,"nodeType":248},{},[],{"data":3345,"content":3346,"nodeType":281},{},[3347],{"data":3348,"marks":3349,"value":3350,"nodeType":248},{},[],"We have seen how two new SaaS-focused attack techniques can be combined into one more effective attack chain. This shows how a successful poisoned tenant attack for even a low risk app can still be a significant threat when combined with a SAMLjacking attack. ",{"data":3352,"content":3353,"nodeType":281},{},[3354],{"data":3355,"marks":3356,"value":3357,"nodeType":248},{},[],"This demonstrates even the least sensitive edge cases of SaaS sprawl can represent a vector to laterally move to compromise much more valuable assets. History taught us that protecting core production assets was not enough. Adversaries often achieved compromises via test systems and unsecured development resources. What we are seeing now is that this parallel exists in the SaaS-native world too. Therefore, we need to be protecting all SaaS resources with greater vigilance than their standalone sensitivity would indicate.",{"data":3359,"content":3360,"nodeType":281},{},[3361],{"data":3362,"marks":3363,"value":3364,"nodeType":248},{},[],"So what can be done about it? Well, like much in security, there is no silver bullet solution to this issue. SaaS apps are here to stay and are designed to be flexible, easy to sign up for and use. The key first step is always to get good visibility into the SaaS sprawl across your organization. If certain employees or teams start making use of a new SaaS app (or a new tenant for an existing one), that’s probably something your security team should be aware of so they can make sure it’s legitimate and being used as securely as possible. ","In this article, we’re going to demo combining two of our favorite new SaaS attack techniques to make a simple, but effective attack chain.\n","2023-08-17T00:00:00.000Z","samljacking-a-poisoned-tenant",{"items":3369},[3370,3372],{"sys":3371,"name":1999},{"id":1998},{"sys":3373,"name":2903},{"id":2902},{"items":3375},[3376],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":3377},{"url":236},"slack-phishing-for-initial-access","blog/slack-phishing-for-initial-access",{"json":3381},{"data":3382,"content":3383,"nodeType":1028},{},[3384],{"data":3385,"content":3386,"nodeType":281},{},[3387],{"data":3388,"marks":3389,"value":3390,"nodeType":248},{},[],"Our latest post in the SaaS attacks matrix series is focused on external phishing via Slack. Unlike email, IM apps and the messages within them are typically more trusted by employees, making social engineering via Slack a juicy target.","In this article, we’ll demonstrate how IM apps, specifically Slack, are an increasingly attractive target for a range of phishing & social engineering attacks.",{"id":1211,"publishedAt":3393},"2024-03-21T08:57:37.984Z",{"items":3395},[3396,3398],{"sys":3397,"name":1999},{"id":1998},{"sys":3399,"name":2003},{"id":2002},"qtMGrMDa9fXsGi7OgNiam577vGjmBvPWYobdNiVTuhY",1784196728815]