Scroll to top
New Report AI Is Making Social Engineering Unstoppable — Unless You Defend the Human Layer. New insight from Factor's research team. Read More →
Get Demo

Fake Enterprise Slack App — R&D Team's Confidential Roadmap Exposed

  • Home
  • Use Cases
  • Malicious App Detection
Malicious App Attack
App Detection Defense

Case Overview

An R&D team at a software company received an SMS telling them that Slack had released a mandatory security update for enterprise accounts. The message linked to a convincing download page. Seven team members installed the app. It looked and functioned exactly like Slack. It also silently forwarded all messages, files, and screen content to an external server. By the time the security team identified the compromise, the product roadmap for the next 18 months had been exfiltrated.

Factor Security's MTAD was deployed on the team's devices. The attack was detected at the SMS stage — and blocked before any installation could succeed.

The Attack

  1. The attacker crafted an SMS with corporate branding, citing a "mandatory enterprise security patch" with urgency language and a download deadline.
  2. The link led to a near-perfect replica of the Slack enterprise download page, hosted on a lookalike domain designed to bypass casual scrutiny.
  3. Seven R&D team members installed the app, which requested normal Slack permissions — storage, notifications, microphone — none of which raised suspicion.
  4. The app relayed all team communications in real time to an attacker-controlled server running silently in the background.
  5. In the unprotected scenario, product roadmap, competitive analysis, API documentation, and unreleased feature specs were all exfiltrated before discovery.

How Factor Protected

  1. Factor analyzed the inbound SMS on each device — detecting domain spoofing, lookalike URLs, and urgency-based social engineering patterns before any link was followed.
  2. The download page URL was flagged as a known lookalike domain associated with app distribution fraud, and employees were warned before visiting it.
  3. When one team member attempted to install the app despite the warning, Factor's malicious app detection engine analyzed the package — identifying anomalous data exfiltration permissions and C2 communication patterns.
  4. Installation was blocked on managed devices. On BYOD devices, Factor raised a high-severity alert to both the employee and the security team in real time.
  5. No exfiltration occurred. The fake domain was reported and blacklisted within the hour.

Factor's Impact

The app looked real. The SMS looked real. The download page looked real. That is exactly the point — modern mobile attacks are indistinguishable from legitimate activity at the surface level. Factor does not ask the user to recognize the threat. It detects the threat before the user has to decide.

Your R&D roadmap is not a network asset. Protect it at the device where it gets discussed.

See How Factor Protects Your R&D