The Slack/Teams Phishing Pivot: How Email Is the Entry Point

Slack and Teams phishing has become a meaningful attack vector because the chat platforms operate under different trust assumptions than email. A compromised chat account can pivot to many further compromises before detection. This post is about how the pivot works and why email-layer defenses still matter.

How the Pivot Works

The mechanism:

Step one: email-based credential phishing. The attacker sends a phishing email mimicking a chat platform login (Slack, Microsoft Teams, Google Chat, Discord, others). The email cites a routine reason: a security update, a workspace invitation, a notification about messages.

Step two: credential capture. The user clicks through to a fake login page that mimics the real platform’s authentication flow. The user enters credentials. The attacker now has access.

Step three: chat platform reconnaissance. The attacker logs into the chat platform and observes the user’s coworker network, the channels they participate in, the topics they discuss, and the relationships that exist on the platform.

Step four: pivot attacks against coworkers. The attacker, now operating from a trusted account on a trusted platform, sends phishing or social engineering messages to the user’s coworkers. The messages are higher-trust than emails because they appear to come from a known coworker on a normal communication channel.

Step five: secondary compromise. Coworkers act on the messages, click links, share credentials, transfer money, or perform other actions that the attacker requested. The cumulative damage from a single chat-platform compromise can substantially exceed the damage from the initial email phishing.

The structural pattern: email is the entry point, chat is the amplifier. Email-layer defenses limit the entry; chat-layer defenses limit the amplification.

Why Chat Platforms Are Trusted Differently

Several structural reasons explain why chat-platform compromise is more damaging than email compromise.

Implicit identity authentication. Users assume messages on Slack or Teams are from real coworkers because the chat platform is internal. The skepticism that applies to external email does not apply to internal chat. The identity assumption is built into the platform.

Lower message friction. Chat messages are short and conversational. Users respond quickly without applying the deliberation they might apply to a longer email. The reduced friction reduces verification.

Faster pivot mechanics. A compromised chat account can send messages to many coworkers in minutes. The compromise window between initial breach and secondary attacks is short.

Less mature security tooling. Email security has decades of accumulated detection capability. Chat platform security is younger and lags significantly. The detection mechanisms for unusual messages, suspicious links, and account takeover are improving but not at parity with email.

The combination produces a high-impact attack target where compromise produces large secondary damage.

What the Pivot Looks Like

Common patterns after a chat platform compromise:

Internal credential phishing. “Hey, IT is rolling out new MFA. Can you click this link and re-enroll?” The link leads to a fake authentication page.

Wire fraud requests. “Quick question, can you help me wire some money? I’ll explain later.” Sent in a DM where the trust level is high.

Sensitive data requests. “Need the latest customer list for a meeting in 10 minutes. Can you DM me the file?”

Lateral movement. Attempting to access shared files, channels, or external integrations through the compromised account.

Reconnaissance. Reading message history to identify high-value targets, ongoing projects, and sensitive topics for further attacks.

The patterns mirror email-based attacks but with higher initial trust.

What Standard Defenses Do and Do Not Do

Native chat platform filtering. Slack and Teams both have built-in detection for some phishing patterns. Coverage is improving but lags email.

Microsoft 365 Defender for Office 365 (with Teams integration). Includes some Teams-specific phishing detection. Limited compared to email coverage.

Third-party chat security products. Coro, Material Security, and a few others offer chat-platform security. The category is small and immature.

Awareness training covering chat phishing. Generic training rarely addresses this. Specific modules are valuable but not yet standard.

Hardware-key MFA on the chat platform. The highest-impact technical control. Defeats the credential-only attack at the entry point.

Account-takeover detection. Catches compromised accounts after the fact through behavioral anomaly. Most major chat platforms have some form of this.

The honest summary: chat platform security is a developing area. The strongest defense is currently hardware-key MFA at the entry point combined with email-layer defenses that reduce the volume of credential phishing.

How Email-Layer Defenses Help

Even though the damage happens on the chat platform, the entry point is email. Email-layer defenses reduce the volume of credential phishing reaching users.

Native filtering. Catches mass-volume mechanical phishing reliably. The obvious “Click here to verify your Slack account” emails are caught.

Defender or Workspace Advanced Protection. Catches more sophisticated phishing emails impersonating chat platforms. URL rewriting catches some link-based attacks at click time.

Inbox-layer filtering. A cover charge gate makes mass-volume credential phishing campaigns uneconomical. The 1,000-recipient blast against a specific company becomes unprofitable when each recipient costs four cents.

Awareness training. Reduces click-through on the email phishing portion. Generic training covers this case adequately because the email portion is structurally similar to other credential phishing.

The pattern: email-layer defenses reduce the volume of attacks that reach the chat platform compromise stage. Hardware-key MFA on the chat account closes the credential-only attack path. Awareness training catches some of the residual.

What Defenses Hold After Compromise

If a chat account is compromised, the defenses that limit damage:

Account-takeover detection. Slack, Teams, and other major platforms have detection for unusual login patterns. The detections need to be reviewed, but they catch many compromises before significant secondary damage.

Coworker awareness. Users who recognize unusual messages from coworkers as potentially compromised accounts can verify before acting. “Hey, was that you who just DMed me about a wire transfer?” sent through a different channel catches many pivot attacks.

Reauthorization for sensitive actions. Some organizations require fresh authentication for any wire transfer or sensitive data request, regardless of the channel that initiated it. The reauth catches the chat-pivot version because the attacker does not have the second factor.

Limited admin scope. Restricting admin access on chat platforms to a small set of accounts limits the blast radius of any single compromise.

Audit logging. Records of chat activity that can be reviewed after a compromise to assess damage and contain pivots.

A Specific Honest Note

The Slack/Teams phishing pivot is a meaningful attack vector that is harder to defend against than pure email phishing because chat platforms operate under higher trust assumptions and have less mature security tooling. The structural answer is layered defense: email-layer reduction of volume, hardware-key MFA at the entry point, and chat-layer detection for compromise that gets through.

Rythm reduces the volume of email phishing that initiates these attacks. Hardware-key MFA on the chat platform account closes the credential-only entry path. Awareness training and account-takeover detection handle the residual.

For the related guides, see the anatomy of a modern phishing email, MFA doesn’t stop phishing: here is what it does, the lookalike domain problem, and phishing awareness training: what it catches and what it misses. For the broader frame, see why phishing emails are getting harder to spot in 2026 and what is BEC. Rythm is $1.65 per month, cancel anytime.