Slack users unwittingly phished with malicious payloads


Since late June, the platform’s file storage domain – – appeared to pop up with far more regularity on the Phish Alert Button, leading KnowBe4 researchers to surmise that Slack users using the referral URL domain,, are being duped with malicious payloads, raising concerns.

And if an attacker can penetrate an organization and take over an employee’s Slack account, it is an ideal medium to move laterally within the organization.

While COVID-19 ushered in a work-from-home mentality in March that put Zoom at center stage for visual communications, online collaboration-focused platforms like Slack also became critical cogs in most organizations’ new remote workflow.

In this latest scheme, actors are injecting malicious messages within phishing attacks that might appear legitimate to users, because the brand name is recognizable, according to a KnowBe4 blog post that illustrates the campaign through a series of screenshots.

The three-stage attack typically involves an email that takes users to a PDF file hosted on site within a Slack-branded workspace.

“This three-stage attack using files housed at a legitimate online service or site is hardly new or unique,” Eric Howes, principle lab researcher at KnowBe4, wrote. “It is, in fact, the same pattern we've seen used to exploit and abuse plenty of other perfectly legitimate brands and services, including Dropbox, Sendgrid, Sharepoint, and OneDrive, to name but a few,” he added.

Howes cited a recent KnowBe4 report detailing how the design platform Canva is tricking users into helping launder malicious links.

It’s not an accident that Slack and Canva’s popular free services make them targets for such hackers to achieve their nefarious aims, the researcher said.

“We’ve seen only small numbers of malicious emails exploiting,” Howes explained, noting KnowBe4 has not contacted Slack to share its findings. “It appears that only a few malicious groups are experimenting with this particular method at present — perhaps even as few as one group.”

Chris Hazelton, director of security solutions at Lookout, said: “Slack is quickly taking the place of email for many workers as users can easily communicate and share information about a specific topic without the hassles of sending an email.”

Slack’s speed makes it an ideal platform for inadvertently or maliciously sharing phishing links, Hazelton noted. At the same time, users are assumed to be trustworthy. And while some organizations will have firewall protections in place for laptops, remote workers and mobile users on Slack could be left unprotected.

Howes sounds a sobering note: “If nothing else, it is an indication of the current state of phishing. It can seem an inevitable and almost unstoppable feature of everyday digital communication and life on the internet.”

While Slack said that the scheme described by KnowBe4 "isn't specific to Slack," the company noted in a statement sent to SC Media "that social engineering tactics are often used by attackers to obtain valid credentials or trick users into clicking links that either take [them] to unsafe websites or cause them to inadvertently download malicious files."

To guard against those attacks, Slack – which is used by government agencies, financial institutions and enterprises in regulated industries that put a premium on data security and privacy – recommends strong security measures such as two-factor authentication, updated computer and anti-virus software, and careful inspection of all links before clicking on them.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.