Slack Phishing

Travis Good
April 19, 2021

Slack Phishing

As Slack cements its place as the communication tool of choice for many businesses, it has increasingly become a target for malicious parties. The statistics are real - Slack reduces email by up to 80%. Social engineering, a primary type of cyber attack, requires communication and email is the most common form. But, as more email moves to Slack, more attacks will follow.

Slack is a treasure trove of sensitive information. Data shared in Slack often includes company secrets, details about infrastructure and cloud accounts, information about workflows and org structure, data about customers (both organizations and entities).

While phishing is a threat to all email users, specific Slack functionality, namely for this post Slack's webhooks, have become an attack vector for online fraud attacks.

What are Slack Webhooks?

Slack webhooks, or incoming webhooks, are a straightforward way to post messages from third-party apps into Slack. By creating an incoming webhook for your Slack instance, users receive a unique URL. From there, a JavaScript Object Notation (JSON) payload with the message is sent to Slack through this URL.

However, because anyone with the URL can post to Slack — regardless of their membership — users need to keep this URL secret. 

How Are Slack URLs Being Used for Phishing?

If a hacker obtains a leaked webhook URL, this allows them access to the Slack workspace The webhook URL is essentially an entry point into your Slack instance. Attackers cna use this webhook to send fake messages containing bogus links or bogus requests for information. Since it’s all happening in Slack, users often are not vigilant about these messages and links.

Is Slack a high risk for phishing attacks?

Most people assume that Slack is a low-risk for phishing attacks because:

1) Webhooks require a target channel, which limits the scope of abuse. The idea behind phishing attacks is generally to gain access and then escalate access. Access to one channel is still a risk to be managed and, as we outline below, there are ways to expand the scope of a webhook.

2) Each webhook has a unique URL that can be kept secret. Keeping a Slack Webhook secret is more complicated than many people think. Github contains tens of thousands of pieces of public code with unique Slack URLs.

3) A webhook only accepts incoming data, and therefore cannot be used to steal information. Similar to email phishing attacks, incoming Slack phishing messages can include malicious links and bogus instructions to gain higher-level access. 

What techniques are used to expand the scope of Slack webhooks?

One of the more commonly used techniques is a channel override. As mentioned above, a webhook requires a target channel. Ostensibly, this mitigates the risk to one channel. However, by adding the channel key to JSON payloads, attackers can get access to other channels.

More worryingly, this same technique can be used to override Slack permissions, like admin-only posting. Because target channels are based on the webhook's original creator, anyone who finds a webhook made by an admin can then post to admin channels.

How To Counter Slack Phishing

Hackers are very sophisticated these days, and even the brightest employee can download a malicious app by mistake or click a malicious link in Slack in error.

For administrators, application whitelisting and tighter control over permissions and privileges are advisable. Additionally, keeping an eye on Slack OAuth applications is good practice, as anything suspicious could be a sign that Slack has been compromised.

Below are concrete steps to take to minimize the risk of Slack phishing attacks being successful.

  1. Regularly review Slack apps with access to your Slack account.
  2. When installing a new app into Slack, ask the app maker about their app permissions.
  3. Put a process in place for inviting external users to your Slack instance and limit who can add external users.
  4. Educate all of your employees regularly about the risk of Slack phishing.
  5. Run Slack phishing simulations. Even if these are manual, they are effective because they help employees think about security while using Slack.