Slack token in CI log → DM history → vendor mailbox compromise

§ Context

Assumed environment: target uses Slack and runs CI in a way that occasionally leaks env vars to logs. The Slack token has channels:history + im:history + chat:write scopes.

§ Steps

1. 01
   Use harvested links to enter mailboxInitial Access

   T1078— Valid Accounts
2. 02
   List channels, DMs, usersDiscovery

   T1087— Account Discovery
3. 03
   Search public CI logs for xox tokensReconnaissance

   W-RECON-GITHUB-DORK— GitHub / GitLab Dorking
4. 04
   M365 exfil via EWSCollection

   M365-EWS-EXFIL— Exchange Web Services (EWS) Exfil
5. 05
   Read DMs for reset links / OTPsCollection

   T1056— Input Capture
6. 06
   Authenticate to Slack APICredential Access

   SAAS-SLACK-TOKEN— Slack Token / Webhook Theft

§ References

• T1078Valid Accounts
• T1087Account Discovery
• T1056Input Capture

§ Frequently asked

What is the "Slack token in CI log → DM history → vendor mailbox compromise" attack path?

A CI run echoed a Slack xoxb-/xoxp- token. Use it to read DMs, harvest password-reset links and vendor invitations, pivot into the corporate mailbox. It chains 6 steps drawn from real-world offensive-security techniques.

What starting position does this attack require?

The first step is Use harvested links to enter mailbox (T1078) — a initial access primitive. Assumed environment: target uses Slack and runs CI in a way that occasionally leaks env vars to logs.

What is the final impact of this kill-chain?

The final step lands on Authenticate to Slack API (SAAS-SLACK-TOKEN), which falls under Credential Access. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

• Shared techniques3

  Secret echoed to public build log → cloud takeover

  A workflow accidentally runs `env` or `set -x` during debugging — the AWS access key is now in public CI logs and indexed by Google Cache / GitHub search.

• Shared techniques2

  Dev workstation → cloud backup keys → encrypted vault store (LastPass 2022)

  Attacker compromised a single LastPass DevOps engineer's home machine via outdated Plex Media Server, harvested AWS keys for the encrypted-vault backup bucket, exfiltrated production vault data.

• Shared techniques2

  Stolen credentials → no-MFA Snowflake → mass tenant exfil (2024)

  Infostealer logs from third-party machines yielded credentials for many Snowflake tenants. Tenants without enforced MFA / IP allow-lists were directly queried; dozens of customer data sets exfiltrated.

• Shared techniques2

  Mass SMS phish → Okta-style portal → SaaS sprawl (0ktapus)

  Wide SMS phishing campaign targeting employees of ~130 organisations with a single phishlet that captures Okta credentials + push approval. Mass automated logins to Twilio, MailChimp, DoorDash et al.

• Shared techniques2

  Build-system implant → signed supply-chain backdoor (SolarWinds-class)

  Compromise the target vendor's build server. A small implant rewrites a single source file at compile time — every official signed release downstream now ships the backdoor.

• Shared techniques2

  Vish helpdesk → Okta MFA reset → admin → ransomware (MGM-class)

  Identify an Okta admin via LinkedIn. Vish the helpdesk pretending to be that admin, get MFA reset. Sign in, plant attacker MFA factor, then push policy changes that disable MFA for chosen apps before mass-deploying ransomware.