SAAS-SLACK-TOKENCredential Access

Slack Token / Webhook Theft

Slack xoxp / xoxb / xoxa tokens leaked in source, env files, CI logs — read history, post as user / app, exfil DMs.

§ Where this technique fits

SAAS-SLACK-TOKEN is catalogued under the Credential Access tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 2 on average.

§ Dossiers chaining this technique

Slack token in CI log → DM history → vendor mailbox compromise
A CI run echoed a Slack xoxb-/xoxp- token. Use it to read DMs, harvest password-reset links and vendor invitations, pivot into the corporate mailbox.
step 2 / 6

§ What commonly comes next

01
Account Discovery
T1087 · Discovery
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

Slack token in CI log → DM history → vendor mailbox compromise

§ What commonly comes next