Updated March 3, 2022:
We've recently published an article about Microsoft Teams phishing to supplement this piece on Slack phishing. Check it out here!
As Slack cements its place as the communication tool of choice for many businesses, it has increasingly become a target for malicious parties. The statistics are real - Slack reduces email by up to 80%. Social engineering, a primary type of cyber attack, requires communication and email is the most common form. But, as more email moves to Slack, more attacks will follow.
Slack is a treasure trove of sensitive information. Data shared in Slack often includes company secrets, details about infrastructure and cloud accounts, information about workflows and org structure, data about customers (both organizations and entities).
While phishing is a threat to all email users, specific Slack functionality, namely for this post Slack's webhooks, have become an attack vector for online fraud attacks.
What are Slack Webhooks?
However, because anyone with the URL can post to Slack — regardless of their membership — users need to keep this URL secret.
How Are Slack URLs Being Used for Phishing?
If a hacker obtains a leaked webhook URL, this allows them access to the Slack workspace The webhook URL is essentially an entry point into your Slack instance. Attackers cna use this webhook to send fake messages containing bogus links or bogus requests for information. Since it’s all happening in Slack, users often are not vigilant about these messages and links.
Is Slack a high risk for phishing attacks?
Most people assume that Slack is a low-risk for phishing attacks because:
1) Webhooks require a target channel, which limits the scope of abuse. The idea behind phishing attacks is generally to gain access and then escalate access. Access to one channel is still a risk to be managed and, as we outline below, there are ways to expand the scope of a webhook.
2) Each webhook has a unique URL that can be kept secret. Keeping a Slack Webhook secret is more complicated than many people think. Github contains tens of thousands of pieces of public code with unique Slack URLs.
3) A webhook only accepts incoming data, and therefore cannot be used to steal information. Similar to email phishing attacks, incoming Slack phishing messages can include malicious links and bogus instructions to gain higher-level access.
What techniques are used to expand the scope of Slack webhooks?
One of the more commonly used techniques is a channel override. As mentioned above, a webhook requires a target channel. Ostensibly, this mitigates the risk to one channel. However, by adding the channel key to JSON payloads, attackers can get access to other channels.
More worryingly, this same technique can be used to override Slack permissions, like admin-only posting. Because target channels are based on the webhook's original creator, anyone who finds a webhook made by an admin can then post to admin channels.
How To Counter Slack Phishing
Hackers are very sophisticated these days, and even the brightest employee can download a malicious app by mistake or click a malicious link in Slack in error.
For administrators, application whitelisting and tighter control over permissions and privileges are advisable. Additionally, keeping an eye on Slack OAuth applications is good practice, as anything suspicious could be a sign that Slack has been compromised.
Below are concrete steps to take to minimize the risk of Slack phishing attacks being successful.