Internal account compromise turns your own trusted communication channels into attack vectors. Once an attacker controls a legitimate employee account, they inherit that employee's entire social trust — without triggering a single security alert.
Credential stuffing, phishing, and session token theft are now so efficient that compromising a Slack, Teams, or email account has become a commodity attack. The attacker doesn't need to break your perimeter — they need one employee to click one link.
Once inside a trusted account, the attacker's position is nearly unassailable. They can read every previous message — learning communication style, ongoing projects, colleague names, and sensitive context. They can request credentials from colleagues who recognize the familiar username. They can initiate transactions, authorize access changes, or exfiltrate data at will.
The average time between initial compromise and detection is 243 days. During that window, an attacker operating inside your Slack or email environment can access everything a legitimate employee can access — and colleagues have no way to know the account is compromised.
This attack pattern is responsible for the majority of enterprise data breaches. Verizon's DBIR consistently reports that 74% or more of breaches involve privilege abuse or credential compromise. The attacker is not sophisticated — they have a valid username and password.
Attack anatomy — step by step
- 1
Attacker acquires credentials via phishing email, credential stuffing against a reused password, or purchasing leaked credentials from a breach database.
- 2
Attacker establishes a session in the target's Slack, Teams, or email account.
- 3
Attacker reads message history to learn communication style, active projects, and colleague relationships.
- 4
Attacker poses as the compromised employee and requests sensitive information — credentials, API keys, MFA codes, or financial approvals.
- 5
Colleagues comply, recognizing the familiar username and communication style.
- 6
Attacker establishes persistence, exfiltrates data, and covers tracks before detection.
Why your stack fails
MFA protects the login. It does not protect the conversation that happens after login. Once a session is established, all downstream activity looks legitimate. Behavioral analytics and UEBA tools can flag anomalies in aggregate but are not designed to catch targeted, low-volume social engineering within an established session.
How Real Authenticator stops it
A code exchange before any sensitive credential is shared confirms the real person — not just their session. An attacker who has compromised a Slack account cannot produce a valid TOTP code, because the code is generated from a device-resident secret on the real employee's phone. A policy of 'always ask for a code before sharing credentials' takes five seconds and makes account compromise non-exploitable.
Documented real-world cases
Twilio — August 2022
Twilio suffered a sophisticated social engineering attack in which employees were tricked into providing credentials via SMS phishing. Attackers used these credentials to access internal systems and compromise 163 customer accounts, including 1,900 Signal users. The attack was discovered weeks after initial compromise.
Source: Twilio security advisory, August 2022; TechCrunch
Uber — September 2022
An attacker compromised an Uber contractor's credentials via MFA fatigue attack, then used Slack to pose as IT and trick an employee into providing VPN credentials, ultimately gaining access to critical internal systems including AWS, GCP, and HackerOne reports.
Source: Uber security update, September 2022; Bloomberg
Frequently asked questions
Doesn't MFA prevent this?
MFA prevents unauthorized login from a new device. It does not protect an already-established session, a compromised device, or a session token stolen after authentication. MFA fatigue attacks — where attackers bombard employees with push notifications until one is accidentally approved — have become a standard bypass technique.
Sources & citations
- 1.Verizon Data Breach Investigations Report 2024— Human element and credential abuse statistics
- 2.IBM Cost of a Data Breach Report 2024— Average breach cost and detection time
Statistics reflect data available at time of publication. Real Authenticator is not affiliated with cited organizations. Links to external sources are provided for reference only.