A new threat vector for social engineering in Slack illustrates the emerging risks posed by the new multi-channel communication environments that characterize today’s workplace. In this post, we’ll look at one risk to Slack in particular, but we’ll also examine how a risk in this one channel cascades throughout a multi-channel system.


Cloud-based SaaS applications allow onboarding customers within a very short period of time. In some cases, new employees are up and running on M365, Salesforce, Slack, and/or Zoom in a matter of minutes.

Turning to our Slack example: attackers are able to mimic workspaces to make them feel and look just like an organization’s legitimate instances. How does that work? Let’s look at this example of social engineering in Slack:

  1. A new employee connects to an ‘assumed’ URL in Slack, for example: company-cyber.slack[dot]com
  2. However, the real URL for the company is actually company-cyber-HQ.slack[dot]com
  3. An email from the bogus workspace is sent to the new employee to activate their Slack access - yet it isn’t validated from your organization in many cases
  4. Once the new employee adds their validation code, they’re now connected to the imposter Slack workspace.
  5. It would look like the right Slack workspace because the new employee would see others on the channel, appearing as though they belong to the same company.
  6. Yet, the imposter workspace isn't the official company workspace, and these are threat actors just waiting for the new employee to share data or access.

The multi-channel risk surface is initially Slack and email, but it can expand from there quickly. Attackers have proven successful at tricking employees through social engineering to give up MFA tokens or other credentials. From there, the attackers can move into connected systems like GitHub, Jira, etc. to gain access to valuable intellectual property.

As easy as it is to imagine that scenario (and you don’t have to, it’s happened more than once), it’s actually quite difficult for SOC teams to see these incidents for the multi-channel compromises that they are. Traditional tools are still feeding event data in silos. What may look like several incidents, managed by several different SOC analysts, may in fact be one coordinated effort.

Let’s turn back to Slack and other workspace channels.

Slack and Other Collaboration Platforms Are a Target

Why are attacks like this on the rise? 

With over 10 million daily users, Slack is indisputably an industry leader for team collaboration. But this accessibility and convenience is also a gateway for hackers and threat actors to exploit these digital communication platforms.

Often, people are confident that passwords, private chats and direct messages are secure enough. True, some applications are more secure than others, but businesses should not fall into the complacent thinking that in-app security and privacy settings are protection enough.

The example of social engineering in Slack above demonstrates that threat actors can capture unsuspecting employees even before they log into their Slack instances. All it takes is a little sleight of hand into the company’s Slack URL, and voila: employees are deceived into handing out their login credentials and other sensitive information.

Despite this risk, business leaders shouldn’t think to steer clear of such platforms. Especially with most of today’s companies deploying remote workforces, collaboration tools like Slack have proven themselves invaluable.

But how should you protect your company today from this social engineering in Slack? What should you look for in your organization to prevent bad actors like these?

Slack Protection Starts from Within

Collaboration platform security starts with proactive and preemptive measures.

First: Organizations need to plan ahead with respect to access rights, as well as user provisioning and de-provisioning. Implementing security controls and mitigating insider threats requires a fully-documented process, which includes tracking who you give access to your Slack channels and workspaces. Keep in mind that proper onboarding and off-boarding of employees is key to making sure the right people have the right access.

Second: Establish a robust and regularly updated training program. Educate your employees on how to spot phishing and social engineering attempts like the example above. Moreover, they also need to have a thorough understanding of what they can and cannot discuss on Slack and other channels, as well as the reasons why.

Third: Deploy an automated solution that immediately alerts administrators to potential social engineering attempts or security breaches. Preferably, it should be a security and compliance solution that leverages machine learning and natural language analysis to track, identify, and flag social engineering patterns and cues. It should also be scalable enough to cope with the creation of data on Slack and other platforms.

SafeGuard Cyber is a great example of that, providing users with a way to detect, analyze, and defend against social engineering in Slack and other collaboration platforms in real-time. See it in action today.

If you are interested in learning more about the SafeGuard Cyber solution, you can take a quick 5-minute tour.

Explore Security Product