Slack

Subscribe
Download 125
Last updated Dec 25, 2025

Slack App Scopes Expanded

Detect Slack app scope expansion events in Slack audit logs.

Query

First, extract logs where the value of the event_name field matches app_scopes_expanded. Then, join details.new_scopes with commas and assign it to the new_scopes field, and extract entity.app.name into the app field.

| search event_name == "app_scopes_expanded"
| eval new_scopes = strjoin(", ", valueof(details, "new_scopes"))
| eval app = valueof(valueof(entity, "app"), "name")

Message

  • Slack app scope expansion: user $user_name, domain $context_domain, app $app

Output field order

  • _log_time, src_ip, context_type, context_name, user, user_name, user_email, event_name, app, new_scopes, user_agent, entity, details

Threat Analysis

  • The app_scopes_expanded event indicates that an existing Slack app has been granted additional OAuth scopes, which can be abused by an attacker as a typical step to expand access using an already obtained account or app.
  • Depending on the expanded scopes (new_scopes), the app may gain access to messages, files, channels, user information, and administrative functions, significantly increasing the likelihood of collection and data exfiltration.
  • In many cases, a user must explicitly approve scope expansion; however, if an attacker has compromised the user account or bypassed the approval flow, the activity may appear legitimate while effectively constituting privilege expansion.
  • Risk increases sharply when sensitive scopes are included, such as admin.*, channels:history, groups:history, im:history, files:read/write, users:read, and users:read.email, as these can enable broad access across the organization.
  • Since the app can maintain ongoing access through app tokens after scope expansion, this activity can be associated with authentication bypass using stolen app/OAuth tokens (T1550.001) and lateral movement scenarios.

False Positives

  • A user approves new scopes required for legitimate feature additions or updates to an app.
  • An administrator/IT staff expands permissions for an existing business app (e.g., enabling new channel/file integration features).
  • Scope expansion occurs during app reinstallation or reconnection as part of a re-authorization process.
  • Scopes are modified in a test/development environment for app functionality validation.
  • An official Slack Marketplace app expands scopes as part of a version update.

Response Actions

  • Immediate verification
    • Review the app and the expanded scope list (new_scopes), and validate whether the scopes are necessary for the app’s legitimate functions.
    • Confirm with the user (user_name) whether they approved the expansion and the business purpose for it.
    • Check the app vendor/publisher details and the app’s verification status (verified app vs. internally developed app).
  • Risk assessment and blocking
    • If sensitive scopes (admin.*, history, files, users-related) are included or the purpose is unclear, immediately revoke the app’s permissions or uninstall the app and invalidate its tokens.
    • Consider the possibility of account compromise and force session termination, require a password reset, re-enroll MFA, or trigger forced re-authentication via SSO.
  • Additional hunting
    • Investigate signs of data access via the app immediately after expansion (message reads, file access/downloads, channel joins, external sharing).
    • Correlate related events from the same user/IP such as preceding login failures (user_login_failed), anomalous logins, app installation (app_installed), token preservation (app_token_preserved), and audit log searches (audit_logs_records_searched).
    • Verify whether the scopes included in new_scopes exceed what is allowed by organizational policy.

MITRE ATT&CK