For years, email was the main security battleground. Phishing, scams, and account takeovers were problems companies knew how to fight—at least in theory. Secure email gateways, AI-driven detection, relentless user training. We built entire industries around stopping bad emails from reaching inboxes.
But now? Attackers don’t even need your inbox. They’ve moved to the communication and networking platforms businesses rely on every day. Places where users trust too much and security teams think too little.
Here’s the truth: The way people work has changed. Collaboration is real-time, fluid, and decentralized. But security hasn’t kept up. Most organizations still defend like it’s 2015, focused on email-first security strategies. Meanwhile, attackers have already adapted—phishing inside Slack, hijacking Teams credentials, running scams on LinkedIn.
The result? A massive gap in defenses. One that’s being exploited right now.
The Attack Surface Has Shifted—But Defenses Haven’t
We used to say email is the number one attack vector—and for a long time, that was true. But in 2024, cybercriminals don’t need to start with email anymore. They go straight to where people work.
The numbers prove it:
- Proofpoint reported a 2,524% increase in URL-based threats delivered through SMS, many of which target Slack, Teams, and LinkedIn (Proofpoint).
- SlashNext saw a 703% spike in credential phishing attacks in the second half of 2024 (SlashNext).
The problem isn’t just that attacks are shifting—it’s that companies aren’t shifting defenses to match them.
Cybersecurity has spent the last two decades hardening email. Secure email gateways (SEGs), phishing-resistant authentication, AI-powered anomaly detection—email security is battle-tested.
Slack security? Not even close.
Why Slack Is a Hacker’s Playground
Slack wasn’t built for security teams. It was built for speed. The entire platform is designed around fast, frictionless communication—real-time messaging, open channels, instant file-sharing.
In August 2024, researchers uncovered a vulnerability in Slack’s AI feature that allowed attackers to steal data from private channels via prompt injection (PromptArmor Blog).
Slack’s design philosophy makes it great for productivity—but also a dream for attackers.
- Users Assume Slack Is a “Safe Space”
Employees treat Slack like an internal chatroom, not a security risk. They don’t scrutinize messages the way they do with email.
That’s a problem, because Slack isn’t actually internal.
- Guest Accounts: External contractors, vendors, and even customers can be invited into channels.
- OAuth Integrations: Third-party bots and apps often have access to message history and files.
- Cross-Workspace Messaging: Slack Connect lets employees chat with users in different organizations—creating a huge blind spot for security teams.
Security teams aren’t monitoring who gets invited into what channels. They’re not running behavioral analysis on how files move between workspaces. And attackers know it.
- The Disney Breach: A Case Study in Slack Exploitation
Disney didn’t get hacked because of a sophisticated zero-day exploit. They got hacked because an employee unknowingly downloaded malware disguised as an AI tool, which compromised credentials and gave attackers access to Slack. The result? More than 44 million internal messages were exfiltrated and leaked publicly (Wall Street Journal).
The stolen data wasn’t just random Slack conversations—it included unreleased project details, source code, login credentials, and internal APIs. Slack’s structure gave attackers access without requiring further escalation.
Disney’s response? They shut down Slack entirely (Business Insider).
Most companies won’t go that far. But the lesson is clear: Treat Slack with the urgency of email—because attackers already do.
- Lateral Movement Inside Slack
If an attacker gets into your email, they can phish other employees—but most phishing filters will catch it.
If an attacker gets into Slack? They can impersonate an employee in real-time, join sensitive channels, and spread malware without triggering traditional security alerts.
Slack wasn’t designed with intrusion detection in mind. That’s why lateral movement is so easy for attackers—once they’re in, they’re invisible.
Why Employee s Trust These Platforms (And Why They Shouldn’t)
Security training has drilled skepticism into employees when it comes to email. Hover over links. Verify senders. Assume danger.
But inside collaboration tools? That same scrutiny disappears.
Think about it—if a coworker messaged you in Slack and said, “Hey, I need your help processing this payment real quick,” you’d probably do it without second-guessing. In email, you might double-check. In Slack, it feels like an internal request. That’s why these attacks work.
Attackers are weaponizing trust—and it’s paying off.
How Security Teams Are Catching Up
The old playbook—blocking malicious emails, filtering spam, deploying secure email gateways—isn’t enough. Organizations need a security model that extends beyond email to where real work happens.
That’s why the future of security is cross-platform protection.
Companies are shifting toward:
- AI-driven behavioral monitoring that detects anomalies inside Slack, Teams, and LinkedIn.
- Continuous access monitoring to flag unusual login patterns and unauthorized data movements.
- Proactive threat hunting across collaboration platforms—not just email.
The security industry is quickly evolving, with many organizations making adaptive resilience a top priority in 2025. Because companies that get ahead of this shift? They’ll stop attacks before they start. The ones that don’t? They’ll be cleaning up breaches.
About the Author
Currently, as the Field CISO at global systems integrator Myriad360, Jeremy Ventura is a seasoned cybersecurity professional and advisor, specializing in information security best practices, driving defense strategies, and safeguarding organizations against evolving threats. With extensive experience in vulnerability management, API security, email security, incident response, and security center operations, he has honed his expertise through roles at premier security vendors and internal security teams. Follow Jeremy on LinkedIn.
Source link
