T1598.001 , Spearphishing via Service

Adversaries send spearphishing messages through third-party services , LinkedIn, Slack, Microsoft Teams, Twitter/X, Zoom, and dating apps , to elicit sensitive information, bypass traditional email security, and establish trusted communication channels for further exploitation.

Reconnaissance Initial Access

⚡

Live Simulation

How attackers weaponize third-party services for spearphishing

in LinkedIn

# Slack

T Teams

𝕏 Twitter/X

⬡ Zoom

Hi Sarah! I'm reaching out about a partnership opportunity at Acme Corp...

Hey, could you review this shared document? I need your input ASAP.

URGENT: Your Zoom account will be suspended. Verify at z00m-login[.]com

Thanks for connecting! I noticed your team uses Salesforce , we should discuss integrations...

Please confirm your Microsoft 365 credentials for the team workspace migration.

⚠

Data Extraction in Progress

CSS-Only Simulation , Animated visualization showing spearphishing messages flowing through third-party platforms. Notice how fake personas impersonate trusted contacts to extract sensitive data. Each platform (LinkedIn, Slack, Teams, Twitter/X, Zoom) provides a different attack vector that bypasses traditional email security.

💡 How This Works: Attackers create convincing fake profiles or compromise real accounts on trusted platforms. Because these services are considered "safe" by most organizations, messages from them bypass email gateways, spam filters, and URL inspection tools. Victims are more likely to engage because the message arrives in a familiar, trusted environment.

🎯

Why It Matters

The real-world impact of service-based spearphishing

11.4%

of all phishing attacks originate from compromised supply chain accounts on third-party platforms

47%

of organizations experienced a social engineering attack via messaging platforms in the past 12 months

$4.9M

average cost of a data breach caused by social engineering attacks in 2024

3.4x

higher click rate on phishing messages sent through collaboration tools vs. traditional email

Spearphishing via third-party services represents one of the most evasive and effective attack vectors in modern cybersecurity. Unlike traditional email phishing, service-based attacks exploit the inherent trust users place in platforms like LinkedIn, Slack, Microsoft Teams, and Twitter/X. These platforms are whitelisted by most security filters, meaning malicious messages arrive directly in the victim's inbox, notification feed, or direct message stream , completely bypassing perimeter email defenses including Secure Email Gateways (SEGs), DMARC/DKIM/SPF verification, and URL sandboxing.

The 2020 Zoom phishing scam demonstrated how attackers exploited the surge in remote work, sending fake Zoom meeting invitations that harvested credentials from over 500,000 accounts. LinkedIn recruiting scams have targeted executives with personalized InMail messages containing malicious links disguised as job opportunities. Twitter/X DM phishing has been used in state-sponsored campaigns, where attackers impersonate journalists or colleagues to deliver credential harvesting pages.

What makes this technique particularly dangerous is its multi-channel nature. An attacker can simultaneously reach a target through LinkedIn, Slack, Teams, and personal email , creating a coordinated campaign that overwhelms the victim's ability to discern legitimate from malicious contacts. The personalization of these attacks (enabled by open-source intelligence gathering via techniques like T1589.003 and T1591.004) makes them nearly indistinguishable from genuine business communication.

Authoritative Resources & References

📖

Key Terms & Concepts

Essential vocabulary explained simply

Spearphishing Service

A targeted phishing attack delivered through legitimate third-party platforms (LinkedIn, Slack, Teams, Twitter/X, dating apps) rather than traditional email. The attacker leverages the platform's trusted reputation to increase the likelihood that the victim will engage with the malicious message.

Everyday Analogy: Imagine someone wearing a FedEx uniform knocks on your door and says they have a package for you. You'd likely open the door because you trust FedEx , but the person is actually a scammer. Service-based phishing works the same way: attackers wear the "uniform" of trusted platforms to get past your guard.

Third-Party Platform Abuse

The act of misusing legitimate web services, collaboration tools, or social media platforms as attack vectors. This includes creating fake accounts, compromising existing ones, or exploiting platform features (messaging, file sharing, notifications) to deliver malicious payloads.

Everyday Analogy: It's like someone using a library's community bulletin board to post fake event flyers. The bulletin board itself is legitimate and trusted , but the content on it is deceptive and designed to lure people into a scam.

Fake Persona / Social Engineering Identity

A fabricated identity created by an attacker to impersonate a real person, business contact, or authority figure. This involves constructing a convincing online presence with fake employment history, profile photos (often stolen from real people), endorsements, and connection networks.

Everyday Analogy: Think of a "catfish" on a dating app who creates a completely fake profile with stolen photos and a fabricated biography. In cybersecurity, attackers do the same thing but on professional networks to trick employees into sharing confidential information.

Credential Harvesting

The process of tricking victims into revealing login credentials (usernames, passwords, MFA codes, API keys) through fake login pages, deceptive forms, or impersonation of IT support. Harvested credentials are then used to access corporate systems, email accounts, or cloud services.

Everyday Analogy: A scammer calls you pretending to be your bank, says there's been suspicious activity on your account, and asks you to "verify" your account number and PIN over the phone. You think you're protecting your money, but you're actually handing the keys to your account directly to the thief.

Supply Chain Account Compromise

When an attacker gains control of a legitimate account belonging to a vendor, partner, or trusted third party, then uses that account to send phishing messages to the victim organization. Because the account is legitimate and recognized by the target, these attacks have extremely high success rates.

Everyday Analogy: If someone steals your friend's phone and texts you from their number saying "Hey, I'm locked out of my account, can you send me the reset code?", you'd probably help because you trust your friend. Attackers do this at corporate scale by compromising vendor accounts.

Business Communication Compromise (BCC)

A variant of Business Email Compromise (BEC) that operates through non-email communication channels like Slack, Teams, or collaboration platforms. Attackers infiltrate business communication tools to intercept conversations, impersonate executives, and redirect financial transactions or data transfers. This is sometimes called "Business Chat Compromise."

Everyday Analogy: Instead of forging a letter (email), the scammer sneaks into the company's break room and intercepts conversations between coworkers, then slips in fake messages pretending to be the boss , all while everyone thinks they're talking to their real colleagues.

Multi-Channel Spearphishing

A coordinated attack strategy where the same target receives phishing messages across multiple platforms simultaneously , for example, a LinkedIn connection request, a Slack DM, and a Teams notification, all reinforcing the same malicious narrative. This creates an illusion of legitimacy and increases the probability of victim engagement.

Everyday Analogy: Imagine seeing a product advertised on TV, then receiving a flyer in your mailbox, and then a friend mentions it , all for the same product. You start to think it must be legitimate because "everyone" is talking about it. Attackers use the same psychological principle across digital channels.

Platform Trust Exploitation

Leveraging the inherent trust that users and organizations place in well-known platforms and services. Because platforms like Microsoft 365, Google Workspace, and LinkedIn are considered safe, messages originating from or referencing these services are less likely to be scrutinized by both humans and automated security systems.

Everyday Analogy: A fake police officer pulls you over using a car that looks exactly like a real police cruiser. You pull over and comply because you trust the authority the uniform represents , not realizing the person wearing it is an impersonator. Attackers exploit the digital "uniforms" of trusted platforms in the exact same way.

🎭

Real-World Scenario

A compelling story of how T1598.001 unfolds in practice

Case Study The LinkedIn Impersonation of Sarah Chen , This scenario is based on patterns observed in multiple real-world attacks and illustrates how adversaries combine open-source intelligence gathering with third-party service phishing to compromise high-value targets.

Phase 1 , Open Source Intelligence (OSINT)

The attacker's team began by profiling Sarah Chen, a Marketing Director at a mid-size financial services firm. Using publicly available information on LinkedIn, the company website, press releases, and conference speaker bios, they assembled a detailed profile: her role, recent projects, team structure, reporting chain, professional interests, and the technology stack her department uses (Salesforce, HubSpot, Google Analytics). They used techniques from T1589.003 (Employee Names) and T1591.004 (Identify Roles) to identify her colleagues and organizational hierarchy.

Phase 2 , Fake Persona Construction

The attackers created a convincing LinkedIn profile for "Alex Morgan, Senior Director of Strategic Partnerships at Salesforce." They used a stolen profile photo from a real person's social media account, fabricated a believable employment history, and populated the profile with endorsements, skills, and connections. Within two weeks, the fake profile had 50+ connections , including several employees from Sarah's own company who accepted the connection request without verification.

Phase 3 , Initial Contact via LinkedIn InMail

"Alex" sent Sarah a personalized LinkedIn InMail referencing a real marketing technology conference Sarah had recently attended. The message mentioned a specific speaker and topic, making it clear the sender had "done their homework." The message proposed a partnership opportunity and asked if Sarah would be available for a brief call. Because it came through LinkedIn's verified messaging system, Sarah had no reason to suspect deception. The message did not contain any malicious links , it was purely a trust-building exercise.

Phase 4 , Escalation to Slack

After Sarah responded positively on LinkedIn, "Alex" suggested moving the conversation to Slack , a platform Sarah's company actively uses. This was the critical pivot: by moving to a collaboration tool, the attacker now had a channel that bypassed all email security controls. Over the following week, "Alex" exchanged multiple messages with Sarah about the proposed partnership, sharing legitimate-looking (but fabricated) documents and meeting notes.

Phase 5 , Credential Harvesting

The trap was sprung. "Alex" sent Sarah a Slack message with a link to what appeared to be a Salesforce partner portal: partner-salesforce[.]auth-verify[.]com. The page was a pixel-perfect clone of Salesforce's login screen. When Sarah entered her credentials, they were captured in real-time and transmitted to the attacker's server. Within minutes, the attacker had access to Sarah's Salesforce account , containing customer data, deal pipelines, and financial forecasts.

Phase 6 , Lateral Movement & Data Exfiltration

Using Sarah's stolen Salesforce credentials, the attacker accessed the CRM database, exported customer contact lists, and used Sarah's trusted email signature to send follow-up phishing messages to her colleagues , including her VP of Marketing and CFO. The attack cascaded through the organization over the next three weeks before being detected by the security team during a routine access review.

⚠ Before the Attack

Sarah and her team had no formal verification process for new contacts on messaging platforms. LinkedIn InMail was considered "safe." The company's security awareness training focused exclusively on email phishing , with no coverage of Slack, Teams, or social media threats. Collaboration tools were not monitored by the SOC, and there was no MFA requirement for third-party SaaS applications.

✓ After Remediation

The organization implemented mandatory MFA on all SaaS platforms, deployed a collaboration tool monitoring solution that flags unusual external contact patterns, created a formal contact verification procedure for messaging platforms, updated security awareness training to include service-based phishing scenarios, and enrolled in a third-party risk management program for vendor communication channels.

📋

Step-by-Step Protection Guide

7 actionable steps to defend against service-based spearphishing

Audit Your Organization's Third-Party Service Exposure

Inventory all messaging, collaboration, and social media platforms used by employees for business purposes (Slack, Teams, LinkedIn, Discord, Zoom Chat, Telegram, etc.)
Identify which platforms have access to corporate credentials, SSO integrations, or can be used to share files and links
Document the data classification level of information shared on each platform and whether it's appropriate for that channel

Visibility & Inventory

T1590 , Network Recon T1595 , Active Scanning

Enforce Multi-Factor Authentication (MFA) on All Platforms

Require MFA on every third-party service that integrates with corporate systems , especially CRM, cloud storage, email, and collaboration tools
Use hardware security keys (FIDO2/YubiKey) for high-risk accounts and administrator access , these cannot be phished like SMS or authenticator app codes
Implement conditional access policies that require MFA from unfamiliar devices, IP ranges, or geographic locations

Authentication Hardening

T1589.001 , Credentials T1589.002 , Email Addresses

Implement Contact Verification Procedures

Create a formal process for verifying new contacts on messaging platforms , require employees to confirm identities through a known, trusted channel (e.g., official email or phone number from the corporate directory)
Train employees to be suspicious of unsolicited job offers, partnership proposals, or urgent requests received via LinkedIn InMail, Slack DMs, or Teams messages
Establish a "verify before you engage" culture where contacting unknown parties through secondary platforms triggers an automatic verification step

Human Firewall

T1589.003 , Employee Names T1591.004 , Identify Roles

Deploy Collaboration Tool Monitoring & DLP

Extend your Data Loss Prevention (DLP) policies to cover Slack, Teams, Discord, and other collaboration platforms , not just email
Monitor for suspicious patterns: external users sharing links, unexpected file transfers, credential-sharing attempts, or unusual conversation initiations
Implement URL reputation checking and file sandboxing for links and attachments shared through messaging platforms

Detection & Monitoring

T1592 , Host Information T1592.002 , Software

Update Security Awareness Training for Service-Based Threats

Expand phishing awareness training beyond email to include realistic simulations of LinkedIn, Slack, Teams, Twitter/X, Zoom, and dating app phishing scenarios
Teach employees to recognize the signs of fake profiles: recently created accounts, limited connection networks, stock photos, inconsistent employment history, and urgency-based tactics
Conduct regular tabletop exercises that simulate multi-channel phishing campaigns and test incident response procedures for service-based compromises

Education & Awareness

T1598 , Phishing Parent T1598.002 , Attachment

Restrict Third-Party App Integrations & OAuth Permissions

Audit and minimize OAuth tokens and API permissions granted to third-party applications , especially those with access to email, contacts, calendars, or file storage
Implement app whitelisting for collaboration platforms and block unauthorized third-party integrations from accessing corporate data
Regularly review and revoke unused or unnecessary app permissions, and enforce token expiration policies

Access Control

T1592.004 , Client Configs T1590.005 , IP Addresses

Build an Incident Response Plan for Service-Based Compromises

Create specific playbooks for responding to compromises via collaboration tools and social media , these differ from email-based incidents in speed, detection, and containment requirements
Establish relationships with platform security teams (LinkedIn Trust & Safety, Slack Security, Microsoft DART) for rapid account takedown and investigation support
Define communication protocols for notifying employees, customers, and partners when a business communication channel has been compromised

Incident Response

T1598.003 , Spearphishing Link T1598.004 , Voice Phishing

⚡ Critical Reminder: Service-based phishing attacks are specifically designed to bypass traditional email security controls. Organizations that focus exclusively on email gateway protection are leaving their most vulnerable attack surface , collaboration tools and social media , completely undefended. A comprehensive defense strategy must cover all communication channels.

⚡

Common Mistakes & Best Practices

What to avoid and what to adopt

✕ Common Mistakes

Mistake #1

Assuming messaging platforms are safe. Many organizations treat Slack, Teams, and LinkedIn as trusted channels and exclude them from security monitoring. Attackers know this and deliberately target these "blind spots" because messages bypass Secure Email Gateways and URL filters entirely.

Mistake #2

Accepting connection requests without verification. Employees routinely accept LinkedIn, Slack, and Teams connection requests from strangers, especially when the requester appears to be a recruiter, potential client, or industry peer. This provides attackers with a direct, trusted channel to the target.

Mistake #3

Limiting security awareness to email only. Phishing training that only covers email leaves employees unprepared for attacks via LinkedIn, Slack, Teams, SMS, and social media. Modern phishing is multi-channel, and training must reflect this reality.

Mistake #4

Not enforcing MFA on third-party SaaS applications. Many organizations require MFA for corporate email but leave CRM, collaboration, and cloud storage accounts protected only by passwords. A single compromised credential on a third-party service can provide an attacker with extensive access to corporate data.

Mistake #5

Ignoring the supply chain attack vector. Organizations often focus on protecting their own accounts while ignoring the risk posed by compromised vendor, partner, or customer accounts. 11.4% of phishing attacks originate from compromised supply chain accounts, making this a critical blind spot.

✓ Best Practices

Best Practice #1

Extend DLP and monitoring to all communication channels. Deploy Data Loss Prevention policies, URL filtering, and behavioral analytics across Slack, Teams, LinkedIn, and other platforms , not just email. Modern SIEM/SOAR solutions can ingest logs from collaboration tools and detect anomalous patterns.

Best Practice #2

Implement zero-trust principles for external contacts. Treat every new contact on any platform as potentially untrusted until verified through an independent channel. Require out-of-band verification for any request involving credentials, financial transactions, or sensitive data sharing.

Best Practice #3

Use phishing-resistant MFA everywhere. Deploy FIDO2 hardware security keys for all accounts with access to sensitive data. Hardware keys are immune to real-time phishing proxies and cannot be intercepted through messaging-based social engineering attacks.

Best Practice #4

Run multi-channel phishing simulations. Regularly test your employees with simulated phishing attacks delivered through LinkedIn, Slack, Teams, and SMS , not just email. Track click rates and use results to tailor training to the platforms your organization uses most.

Best Practice #5

Establish vendor and third-party communication policies. Define approved communication channels for vendor interactions, implement vendor risk assessments, and maintain an up-to-date registry of authorized contacts. Flag any vendor communication received through unofficial channels for verification.

⚔

Red Team vs Blue Team

Attacker and defender perspectives on service-based phishing

🔴 Red Team , Attacker Perspective

The attacker views third-party services as trusted delivery mechanisms that bypass traditional security controls. The goal is to establish communication through a platform the target already uses and trusts, gradually build rapport, and extract credentials or sensitive information without triggering suspicion.

Platform Selection: Choose platforms based on the target's industry. LinkedIn for corporate executives, Slack for tech companies, Teams for Microsoft environments, Discord for gaming/crypto communities, and Telegram for international targets.
Persona Construction: Build a convincing fake identity using stolen photos, fabricated employment history, and realistic social activity. Populate the profile with connections, endorsements, and posts that align with the target's industry and interests.
Gradual Escalation: Start with benign interactions (connection requests, likes, comments) before initiating direct messaging. Build trust over days or weeks before introducing any requests for information or action.
Multi-Channel Reinforcement: Contact the target across multiple platforms simultaneously to create an illusion of legitimacy. A LinkedIn connection followed by a Slack message from the "same person" reinforces the authenticity of the fake persona.
Credential Harvesting: Use pixel-perfect clones of legitimate login pages hosted on lookalike domains. Timing the credential request during a natural conversation (e.g., "let me share this document , you'll need to log in to view it") maximizes success rates.
Account Compromise: When possible, compromise a real account from the target's supply chain. Messages from a known, trusted vendor account have significantly higher success rates than fake profiles.

🔵 Blue Team , Defender Perspective

The defender must protect an expanding attack surface that extends far beyond email. The challenge is to maintain security visibility across all communication channels without impeding legitimate business communication and collaboration.

Comprehensive Monitoring: Extend SIEM/SOAR coverage to include logs from Slack, Teams, LinkedIn, and other collaboration platforms. Monitor for indicators like external user message spikes, credential-sharing language, and URL patterns associated with known phishing infrastructure.
Identity Verification: Implement out-of-band verification procedures for new contacts on messaging platforms. Require employees to confirm identities through known corporate directories before sharing any sensitive information.
Phishing-Resistant MFA: Deploy FIDO2 hardware keys as the primary authentication mechanism for all high-value accounts. Hardware keys provide the strongest protection against credential harvesting attacks, even when victims unknowingly enter credentials on fake login pages.
Threat Intelligence Integration: Subscribe to threat intelligence feeds that track phishing domains targeting collaboration platforms. Block known-bad domains at the DNS level and correlate messaging platform alerts with threat intel indicators.
Behavioral Analytics: Use UEBA (User and Entity Behavior Analytics) to detect anomalous patterns in collaboration tool usage , such as a user suddenly communicating with unknown external parties, sharing unusual volumes of data, or accessing resources outside their normal pattern.
Rapid Response Playbooks: Maintain specific incident response procedures for collaboration platform compromises, including account lockdown, message audit, credential reset workflows, and communication templates for stakeholder notification.

🔍

Threat Hunter's Eye

How attackers exploit weaknesses , explained safely and simply

Understanding how attackers abuse third-party services doesn't require deep technical knowledge. The fundamental weakness is simple: humans trust platforms they recognize. When a message arrives through LinkedIn, Slack, or Teams, our brain automatically categorizes it as "legitimate" , which is exactly what attackers exploit. Below are the key weaknesses attackers target, along with safe, non-technical explanations of how they're abused.

The Trust Heuristic

Humans use mental shortcuts (heuristics) to make quick trust decisions. When we see a message from a "known" platform with a familiar logo and interface, our brain automatically applies the "platform trust" heuristic , assuming the message is safe because the platform is legitimate. Attackers exploit this by delivering malicious content through trusted platforms, knowing the platform's branding will trigger an automatic trust response in the victim's brain.

Psychological Exploit

Platform Segmentation Blindness

Most security teams monitor email closely but have limited or no visibility into Slack, Teams, LinkedIn, and other messaging platforms. This creates a "security gap" , an entire category of communication that is completely unsupervised. Attackers deliberately target these blind spots because they know the messages will never be scanned by email security tools, URL filters, or DLP systems.

Security Gap

Notification Fatigue

The average professional receives dozens of notifications daily across multiple platforms. This constant stream of alerts creates "notification fatigue" , a state where users stop carefully evaluating each notification and instead respond on autopilot. Attackers exploit this by timing their phishing messages during peak notification hours, when victims are most likely to click without thinking.

Behavioral Exploit

Social Proof Amplification

When a target sees that a new contact has mutual connections, endorsements, or appears to be part of their professional network, the principle of "social proof" kicks in , "if other people I know trust this person, I should too." Attackers manipulate social proof by building fake networks of interconnected accounts, all supporting each other's credibility.

Social Engineering

Authority Exploitation

People are wired to comply with authority figures. When an attacker impersonates a senior executive, IT administrator, or platform support representative, victims are significantly more likely to follow instructions , even suspicious ones. This is amplified on collaboration platforms where organizational hierarchies and roles are often visible.

Authority Principle

The Urgency Principle

Phishing messages create a false sense of urgency ("your account will be suspended," "immediate action required," "security alert") that overrides the victim's critical thinking. When combined with the trusted platform context, this urgency becomes even more effective , the victim is already in "trust mode" from the platform, and urgency pushes them to act before they can question the message's legitimacy.

Pressure Tactic

🎓 Learning Note: All of the psychological principles described above are well-documented in behavioral psychology and social engineering research. Understanding these concepts doesn't require any hacking skills , it requires understanding how humans make decisions. The most effective defense is building awareness of these mental shortcuts so you can recognize when they're being exploited.

💬

Join the Conversation

Share your experience and help the community stay protected

🛡️

Have You Encountered Service-Based Phishing?

Service-based spearphishing is one of the fastest-growing attack vectors in cybersecurity. Whether you're a security professional, IT administrator, developer, or business leader , your experience and insights can help others recognize and defend against these threats. Share your questions, observations, or lessons learned below.

▲ Review the Simulation ← Explore T1598 Parent Technique Next: T1598.002 Attachment →

❓

Ask Questions

Unclear about any concept?

💡

Share Insights

Help others learn

🔗

Report Incidents

Help map threat patterns

📊

Request Topics

Suggest future deep-dives

This page is part of an open cybersecurity education initiative. All content is designed for defensive awareness and is based on publicly documented threat intelligence from MITRE ATT&CK, CISA, NIST, and industry research. For questions about specific threats, contact your organization's security team or report to FBI IC3.

Network Security Appliances

MITIGATIONS

Pre-compromise M1056

DETECTION STRATEGY

Detection of Network Security Appliances DET0889

DONATE · SUPPORT

We keep threat intelligence free. No paywalls, no ads. Your donation directly funds server infrastructure, research, and tools. Every contribution - no matter the size - makes this platform sustainable.

100% of your support goes to the platform. No corporate sponsors, just the community.

ROOT::DONATE

Cyber Pulse Academy
April 2, 2026
No Comments