Why business chat platforms are an excellent vector for social engineering.

Author: Andrew Heller - Lares Marketing Manager

My Slack channels at work feel safe.

They're internal.

They're informal.

They are where I get 90% of my collaboration done...way faster than anything I could do over email/outlook.

And attackers know it.

From Backchannel to Breach

Recent "Signal group chat" headlines have exposed just how fragile group chat privacy can be. Info can get leaked, screenshots taken, or a full-on platform compromise by simply adding the wrong person. Whether it’s a Slack channel, a Microsoft Teams thread, or a Zoom side chat, attackers have caught on.

At Lares, our Red Team has emulated threat actors abusing tools like:

• Microsoft Teams: External tenant spoofing + file sharing
• Slack: Guest access + app integrations for persistence
• Zoom: Phishing via calendar invites and rogue meetings
• Google Chat / Workspace: Link-based social engineering and document exploits

Here's how it happens

We’ve used these exact tactics during engagements:

1. Recon – Identify platform use, public integrations, and federation settings.
2. Pretexting – Create a fake vendor, recruiter, or executive.
3. Entry – Join Slack via a guest invite. Message Teams via federated chat. Slip into a Zoom call.
4. Payload – Deliver a phishing link, weaponized file, or initiate a credentials prompt.
5. Pivot – Move laterally into cloud resources, email, or even production.

What We’re Seeing in the Field

• Federation defaults left wide open in Microsoft Teams
• Slack channels shared externally with no expiration or controls
• Zoom/Meet links reused or circulated on social media
• No logging of collaboration app events in SIEMs
• No DLP applied to chat, despite sensitive files flying back and forth

Most orgs are still focused on email phishing. Meanwhile, attackers bypass inboxes completely and land directly in your group chat.

What Lares Tests For

When organizations engage us to test collaboration security, we evaluate:

• External access misconfigurations (Teams, Slack, etc.)
• User trust and social engineering susceptibility
• Visibility gaps in chat activity and file sharing
• In-platform detection and alerting
• How fast (if ever) your SOC sees and responds to a rogue message

What You Can Do Now

Here’s how to reduce risk today:

• Audit external access + guest accounts across Slack, Teams, and Meet
• Log chat interactions and file shares into your SIEM
• Train users to question odd chat requests, just like suspicious emails
• Include collaboration platforms in phishing simulations
• Let a Red Team test your assumptions

Final Thought

Group chats are not casual.They’re where credentials are shared, documents are dropped, and sensitive decisions are made.

Lares simulates this kind of threat every day, because this is a real-world threat. It’s messy. It’s human. It’s not a line item in your SIEM.

But it can be tested. It can be trained for. And it can be stopped.

Let's Talk - lares.com/contact