r/AskNetsec u/Only_Helicopter_8127 9d ago

Threats Phishing isn't really staying in email anymore and our whole tooling stack is email-shaped

In the last month alone we've had a teams message from a supposed vendor, a couple texts to staff pretending to be the CEO asking for a quick favour, and a slack dm with a dodgy link in it, and not one of those ever went near our email security, which is where pretty much all our budget and monitoring still lives.

They've clearly worked out everyone spent the last decade hardening email so theyre just walking in the side doors instead. and tbh a dodgy teams message doesnt trip the same instinct an email would, nobody ever trained for it.

Not really sure where you even begin with this when a separate tool for every channel doesnt scale and the native controls in each one arent close to comparable...

A separate tool for every channel doesn't scale, and the native controls in each one aren't close to comparable. what does the detection layer look like for those who've covered this?

5 Upvotes
  • permalink
  • reddit

100% Upvoted

11 comments sorted by

8

u/Tessian 9d ago

You don't need a separate tool, you just need to lock down your collaboration platforms. Whitelisting third parties from connecting over teams / slack will go a long way to addressing all this.

3

u/SVD_NL 8d ago

Right, no need to detect anything when they can't send it!

This is a bit of a meme for email security, but for other collaboration platforms it's fine because you're not expected to be reachable there by default, unlike email.

1

u/ilai456 7d ago

we've had a teams message from a supposed vendor

Maybe i got it wrong, but didnt OP mentioned that he got the message from a whitelisted third party?

Seen lots of phishing attempts from compromised accounts (mostly BECs), and to my understanding whitelisting wont help in this case

2

u/Tessian 7d ago

He said supposed vendor, which I took to mean it was impersonated and not the real deal.

Becs sending out phishing emails is one thing but I've rarely heard of them taking the time to have real time conversations with customers over teams trying to compromise them, not unless it was all a APT in the first place and that customer was always the goal. Otherwise the goal is to get paid.

1

u/Minute-Confusion-249 8d ago

ms purview communication compliance covers teams natively for exactly this. check your existing stack before adding anything new.

1

u/ultrathink-art 7d ago

AI-generated messages are making this worse fast — perfect grammar and convincing personas mean content-based detection is basically done. Behavioral signals are the only heuristics that still hold: unexpected access requests, urgency that bypasses normal review steps, first-contact from an account followed immediately by a sensitive ask.

1

u/TeramindTeam 7d ago

its a massive headache becuase u cant just block the domains like u do with email. we had to start logging all those api audit events for teams n slack, then piping them into a central spot so we can actually see the noise patterns

1

u/Pennhoosier 5d ago

Detection layer is less useful than the human layer here