Lapsus$ Playbook in the Open, and Companies Are Not Ready - Read More
Executive Summary


57% of organizations cite collaboration applications such as Slack, Microsoft Teams, and Zoom, as the tech stack representing the most risk. Since the start of 2020, the use of such tools has boomed. The digital workspace these tools create is highly vulnerable to a range of digital risks, including social engineering, ransomware, insider threats, and compliance violations. This growing threat surface has compelled enterprises to attempt to secure collaboration tools through technology solutions that can provide cloud native defenses and mitigate risks.

These collaboration platforms represent incredible opportunities to innovate across remote teams of employees and their third-party contributors and, in many cases, directly with customers. But the explosion in use of these cloud-based tools has caught most enterprises off-guard; where they were once an adjunct to the enterprise, tools like Slack, Zoom, and Microsoft Teams have now become part of a world without a perimeter. Enterprises cannot and should not solely count on these brands to deliver the security levels they need to keep their people, data and brands safe. Brands simply must own their own security and compliance initiatives in the cloud and mobile workplace. What’s needed are a new generation of solutions that secure collaboration tools – solutions that are highly scalable, and provide full visibility, automated compliance, sandboxing, and other features. By integrating with the at-risk cloud applications, these applications provide companies with secure data collaboration.

Cloud Apps We Protect

zoom logo

Every savvy company learned long ago that managing projects over email is a nightmare. 

Email security providers lack the ability to both create visibility outside of email, and primarily defend against malicious files and links. CASB/SASE solutions are difficult to deploy and manage, and the control function is typically left “open” to prevent false positives from affecting business productivity.

As an alternative, collaboration tools like Slack, Microsoft Teams, and Zoom have been on the rise for a number of years – a rise encouraged by the normalization of distributed teams. 

However, the COVID-19 pandemic drastically accelerated the use of communication and data collaboration tools. These cloud applications are experiencing an all-new operational centrality, across industries. 

  • For the full fiscal year 2020, Slack achieved 12 million daily active users, along with a total revenue of around $630 million.
  • Microsoft Teams boasted 115 million daily active users. That number had risen over 50% in just six months.
  • By the end of 2020, Zoom had about 350 million daily meeting participants, compared to its 10 million participants during 2019.

Plenty of other facts and figures that tell a similar story. These internal collaboration tools are now the norm of doing business. 

Organizations today are increasingly reliant upon SaaS collaboration and communication tools such as Microsoft Teams, Slack, Zoom, and social networking to conduct business internally and externally. 

They are too powerful in facilitating daily operations to ever unwind from. They are here to stay. And they bring with them visibility limitations into which traditional enterprise security and compliance tools are rendered ineffective. 

A blind-spot is growing for security operations as adoption of these tools increases, creating more risk and vulnerability to ransomware, business compromise, and confidential information leakage.

Full visibility into these applications requires monitoring deeply into the application, including into direct messages, group chats, and team meetings. Current defenses miss the patterns, context and intent of communications that indicate early stages of phishing, social engineering, and business communication compromise attacks. 

These apps have become the new hotspot for cybercriminals; they know it’s an exposure and are rushing to capitalize on it before you can close the gap.

Today, there is a growing awareness that digital collaboration does not immediately confer secure, compliant, and encrypted collaboration. These tools create a digital workspace that is currently under-protected. As these tools are on-boarded by more and more companies, the vulnerabilities and limitations of human users become more and more attractive to bad actors.

Talk to an Expert

Truly secure collaboration tools can be hard to come by, and executives are aware of that. According to our recent survey, 57% of organizations cite internal collaboration tools and platforms as the tech stack representing the most risk. CISOs are right to be worried.

In early 2020, Cyberark discovered a vulnerability in Microsoft Teams. The attack utilized a weaponized GIF which, when viewed, began stealing data. The month after that, we find out that foreign spies have been targeting American companies and individuals through Zoom and other video conferencing platforms.

A few months later, researchers discovered a Slack vulnerability that allowed attackers to smuggle malware and other malicious files into the environment. A flaw in the create snippet feature caused incorrect file type displays, and bad actors could potentially use it to introduce dangerous files as harmless ones. 

Then, in 2021, a stolen Slack authentication cookie enabled bad actors to infiltrate the EA Games’ network, stealing 780GB worth of data, including source codes to two of the company’s multi-billion dollar franchises.

These are just a couple of examples of how both internal and client collaboration tools have been targeted. Though vulnerabilities are usually quickly patched, they also keep coming and not all are detected. And traditional cybersecurity techniques fail to offer a layer of protection against issues like this.

The vulnerability of collaboration platforms are rooted in three main factors:

  1. A high velocity and volume of communications
  2. Lack of true visibility into these communications
  3. The inadequacy of manual monitoring

The average Slack or Teams instance plays host to thousands or even tens of thousands of daily messages. These messages are exchanged at lightning speed, around the clock. They are sent in groups and DMs; they often contain links and attachments.

Meanwhile, Zoom meetings enable a number of participants to interact through video conferencing together, a much more direct version of collaboration. However, these meeting rooms are often easily accessible, and random people can Zoombomb your calls, even business meetings where sensitive information is discussed. 

Just one malicious message on your Slack or Teams instance, or one Zoombombed call, can cause serious damage. However, collaboration tools’ nonstop flow of human interaction moves far too fast to be manually monitored. Scanning every message is simply not practical.

This renders collaboration tools black boxes. Security teams lack visibility and control, and secure collaboration tools can feel nonexistent. The activity proceeds at a consistent pace, but teams have no way to get their arms around everything that is going on. In this scenario, it is virtually a matter of time before one of the following digital risks arises:


 Malware & RansomwareMalware & Ransomware


A simple click on a link is all it can take for malware or ransomware to strike. And bad actors are increasingly skilled at crafting innocent-looking URLs that draw people in. Malware can now be skillfully embedded within innocuous files: Word documents, PDFs, or any other format.

Frequently, the cause of malware or ransomware getting loose is pure accident. A staff member shares what they believe to be a legitimate site or a fun video – but they are unwittingly sharing a threat vector for malware. For example, they might share a file that someone they thought was a customer sent them on LinkedIn. However, this customer was a spear phisher, looking to gain access to the company infrastructure.

Alternatively, Slack, Teams, and Zoom instances frequently preserve the login credentials of former employees, or third parties, or other groups who may have reason to try and do harm to the enterprise. Most companies have no centralized way to manage account access in a systematized way.

Moreover, increasingly, ransomware possesses delayed mechanisms that allow them to evade initial detection. Even in the unlikely event that a manual review team casts an eye over an offending file or message, they might not spot it for what it is the first time around. Enterprises with secure collaboration tools are better prepared to fight and prevent this digital adversary.

Spear Phishing & Account TakeoverSpear Phishing & Account Takeover

Recent spear phishing campaigns have taken to targeting Microsoft Teams users through fake emails. These emails, which mimic automated notifications from a solution provider, point users to bogus login pages. There, bad actors collect and harvest legitimate login credentials from company employees. Most companies won’t be able to detect such account changes. They then won’t be able to recover the login credentials stolen from them.

The 2021 EA Games breach stated above is an example of this; a bad actor imitated a former employee to gain access.

Spear phishers exploit Slack vulnerabilities, as well. Ashley Graves, a Cloud Security Researcher at AT&T Alien Labs, describes how bad actors can abuse Slack webhooks to gain access to sensitive Slack data. They do this by crafting a phishing message which they send directly through a leaked webhook URL that leads to a Slack workspace. The message tricks the user into installing a malicious app that then exfiltrates data from the workspace. These sorts of threats will only get worse, with Slack upgrades allowing communication across different workspaces and business partners.

Senior executives are often the target of these attacks, which is why most CISOs are so keen to lay their hands on secure collaboration tools. Alternatively, a successful phishing attack can lead to a cybercriminal posing as an employee in your tools’ instance for weeks or months. The effect can be serious damage: financial and reputational



Compliance ViolationsCompliance Violations

The volume and velocity of digital communications creates significant risk exposure to heavy fines & penalties, litigation expense and/or reputation damage. This is especially true for heavily-regulated industries and enterprises such as financial services (finserv), pharmaceutical companies, and healthcare institutions.

Moreover, the need for visibility across all their apps and platforms requires the archiving of significant data for legal discovery. This allows companies to cover their bases and stay compliant to laws and regulations. 

Robust compliance protection should include the ability to prioritize and quarantine high-risk violations. This also includes capturing, analyzing, and archiving all direct chats and app group conversations that might contain potential compliance-based violations.

Case in point: A K-12 private school needed to establish a secure collaboration platform for its students and staff. However, they generate an average of 125,000 chat messages in a ten-day span. The school had to onboard dedicated software to help them detect incidences of cyberbullying and digital harassment.



76% of executives admit that insider threats are what they worry about the most. Collaboration platforms play host to very sensitive company information. On Slack or Teams, staff exchange strategic plans, legal documents, financial reports, and other material that they would hate to see leaked. This free flow of sensitive information makes a secure collaboration platform paramount.

Hundreds of thousands of data breaches happen every year, and about 90% of these are due to insiders. The breach could come from anywhere. It could be a complete accident. Or it could come from third-party users with bad intentions. But when people are handling sensitive information in a siloed environment, unfortunately, it is a matter of time before someone breaches the silo. When that happens, enterprises no longer have a way of detecting where their sensitive files have gone or what they have triggered.

Secure data collaboration tools possess systems designed to guard entry to instances. Microsoft Teams, for example, enforces “team-wide and organization-wide two-factor authentication, single sign-on through Active Directory, and encryption of data in transit and at rest.” However, such measures do not address inherent digital risks within the platform. For this reason, most businesses rely on CASBs (cloud access security brokers) for infrastructure protection.

However, CASBs have gaps of their own:

  • A blind gap with message and attachment visibility. CASBs cannot see the contents of these, leaving open doorways to digital risks.
  • A coverage gap for natural language processing. CASBs cannot glean context clues regarding data loss, harassment, and other compliance risks.
  • A measurement gap around data archiving and legal readiness. SIEMs, often used as “buckets” for CASB logs, do not help legal teams needing searchable records and full audit trails.

CISOs need real secure collaboration tools to augment their CASBs. This means integrating applications like Slack and Teams with software crafted to provide protection. This protection should include these capabilities:

Total Visibility Total Visibility 

Enterprises need 100% visibility into messages and user activity (such as user activity logs) in order to secure team collaboration environments. From direct chats to larger conversation threads to whole 40-minute long meetings on your third-party apps, organizations need the ability to continuously monitor, scan, and detect digital threats and risks. Instantaneous vetting of messages, links, attachments, and even GIFs is a must to reduce mean time to detection (MTTD) and/or response (MTTR).

Malware Detection and AnalysisMalware Detection and Analysis

Security teams must have sandboxing capabilities for analyzing, detecting, and alerting on all attachments sent through security channels. Additionally, many pieces of modern malware possess algorithms that delay attacks. This allows the malware to avoid detection for a few days before unspooling. To address this, a secure cloud collaboration solution with next-generation sandboxing that performs a full execution path unfold is required. This capability fully unpacks all data and files within your system, unraveling and capturing even the most sophisticated malware. The platform should also be able to notify the console and SOC for the review and resolution process.


Customizable PoliciesCustomizable Policies

Every organization in every industry deals with different digital risk pressures. That means each enterprise should tailor their own internal standards and policies. When establishing protocols for secure collaboration, enterprises must deploy risk management solutions that allow complete and bespoke policy customization. Companies need the power to quickly apply these policies across the entire enterprise to secure collaboration tools and apps.

Message AnalyticsMessage Analytics

The ability to automate the review and analysis of links and language used in messages on collaboration applications is crucial. A solution needs the capability to stop malicious links from getting to your employees and apply consistent analysis to detect risks, including a natural language processing (NLP) solution to detect social engineering language in messages.

Scalable Technologies Scalable Technologies 


Solutions that secure collaboration tools must have no ceiling. An increasing number of enterprises are onboarding both internal and client collaboration tools. Companies are hiring all the time. This means the amount of messages and activity within these applications are only going to grow in scale. Security solutions must take advantage of AI and machine learning in order to face zero restrictions on scalability.

Secure Human Connections

Ready to see how SafeGuard Cyber secures modern communication apps wherever they exist?