What We Do
How We Do
Get Started

The Wiki-Slack Attack

BY eSentire Threat Response Unit (TRU)

October 27, 2023 | 8 MINS READ

Want to learn more on how to achieve Cyber Resilience?


What do you get when you share a Wikipedia link on Slack? As eSentire Threat Response Unit (TRU) security researchers Keegan Keplinger and Joe Stewart discovered, threat actors can be presented with a clever way in which to redirect business professionals to attacker-controlled websites.

It works like this. A threat actor selects a subject in Wikipedia that they believe will interest the type of business professionals they are targeting. For example, if the cybercriminals are targeting publicly traded companies, they might select a Wikipedia entry detailing the latest Securities and Exchange Commission’s (SEC) cybersecurity regulations that are being implemented. Because these regulations are necessary for compliance, organizations may be likely to visit the Wikipedia page – a first step in executing the Wiki-Slack attack.

Once the threat actors select a topic in Wikipedia, they will go to the first page of the Wikipedia entry and edit the page, adding a legitimate referenced footnote to the article. The footnote itself is not malicious but it paves the way for a formatting error when the article is shared in Slack. Once certain additional conditions are met – made easy by small grammatical changes to the Wikipedia article, Slack will render a link that is not visible in the original Wikipedia article.

Once a business professional copies and pastes that Wikipedia entry in a Slack channel, the malicious link is rendered. If the grammar around the link is crafted well enough, Slack users are enticed to click it, leading them to an attacker-controlled website where browser-based malware lays in wait.

Browser-based attacks are a new underestimated threat surface that, today, can lead to hands-on ransomware intrusions. Popular examples this year include BatLoader, SocGholish, Nitrogen, and Gootloader. While much of security training today focuses on email-based phishing and malicious attachments, this new paradigm in initial access has begun to dominate initial access vectors for ransomware intrusions.

Stewart and Keplinger also found that this social engineering attack works with Medium blogs. However, it should be noted that Wikipedia provides a curated, authoritative source that people trust, whereas Medium blogs are less known and author-controlled. Stewart and Keplinger, following responsible disclosure practices, reported this activity to Slack.

A complete attack chain for the Wiki-Slack attack can follow either targeted or opportunistic campaign properties. A targeted attack involves targeting organizations known to have Slack – an easy Open-Source Intelligence exercise – and constructing Wikipedia entries for them to get their attention, while an opportunistic attack looks to weaponize the most popular Wikipedia pages, approaching a watering-hole style attack.

The Attack

The Wiki-Slack Attack is an authoritative user redirection attack to drive victims to an attacker-controlled website. From there, the attacker must provide their own malware for users to download and execute. Browser-based attacks, of course, shouldn’t be underestimated, given they are one of the primary types of initial access malware observed leading to Ransomware today, including BatLoader, Nitrogen, Gootloader, SolarMarker, and SocGholish.

The attack starts when a Wikipedia link is shared in Slack under three conditions:

  1. The Wikipedia link must contain a reference at the end of the first paragraph.
  2. The first word of the second paragraph in the Wikipedia article must be a top-level domain (TLD) such as in, at, com, net, us, etc.
  3. The above two conditions must appear in the first 100 words of the Wikipedia article.

This will cause Slack to mishandle the whitespace between the first and second paragraph, spontaneously generating a new link in Slack (Figure 1). If we look directly at the Wikipedia page, we can see this generated link doesn’t exist there (Figure 2). We have found over 1,000 organic occurrences of this artifact (Figure 3).

Figure 1: Organic occurrence of Slack mishandling a shared Wikipedia link.
Figure 2: When browsing directly to Wikipedia, we can see the paragraphs are separated by white space and the link isn't generated.
Figure 3: A sample of organic occurrences of Slack's mishandling of Wikipedia links.

Opportunistic Attacks

If one does not have ethical guardrails, they can augment the attack surface of the Wiki-Slack attack by editing Wikipedia pages of interest to deface it. Because of the diminishing returns along the chain of this attack, it becomes a numbers game. One way to conceptualize this is an analog of the “marketing funnel” in which companies drive Internet traffic to eventually become sales conversions. We leverage this concept to adopt the “attack funnel” (Figure 4). 

Thus, the more Wikipedia pages an attacker can deface and register domains for, the higher the chances of eventually infecting someone of interest. Further, we can leverage Wikipedia Statistics to choose Wikipedia pages that already generate high volumes of traffic (Figure 5). In it, we see a popular option, ChatGPT, is already organically halfway to a Wiki-Slack attack. One would just need to edit Wikipedia under the guise of “more concise wording” to get a TLD out front in the second sentence (Figure 6).

Figure 4: The Attack Funnel for social engineering attacks.
Figure 5: Wikipedia traffic statistics
Figure 6: ChatGPT's Wikipedia page halfway to a Wiki-Slack attack.

Targeted Attacks

In a targeted attack flow, we want to first do a little background research on our target. For one, we want to ensure they have Slack. Organizations tend to advertise their tech stack in job postings (Figure 7). We can also take an automated approach leveraging something like python’s requests to iterate through a list of companies and automatically select the ones with Slack, given the response code in the request (Figure 8).

Figure 7: Jobs advertising requirements for Slack expertise in their candidates.
Figure 8: An example of python request responses for Slack subdomains that exist (200) and don't (404).

Finally – and because the Wiki-Slack attack is a numbers game – we want to leverage ChatGPT or similar Large Language Model (LLM) to scale out the attack and cover a large attack surface in a short time. ChatGPT is well aware of how to create both web pages and Wikipedia pages. So all we need to do is simply request it do so for a particular subject which we are interested in (Figure 9). We can augment this by scraping data about subjects or targets from articles written after 2021 (Figure 10), since ChatGPT won’t have any information post 2021.

Figure 9: An example request you might send to ChatGPT to build content for the Wiki-Slack attack with appropriate flag considerations. Blue: choose one, Yellow: select from a list of values, Green: only necessary for the Wikipedia page generation.
Figure 10: An example of leveraging Beautiful Soup to scrape post-2021 data from a web page that can then be inserted into the {data} parameter in Figure 9. Additionally, this link can be used as a reference when defacing Wikipedia to create the Wiki-Slack flaw.

Security Recommendations

As the security community has evolved phishing awareness training and organizations have implemented email security appliances that block most malicious spam, social engineering attacks via browser-based downloads are becoming the primary infection vector. To keep your organization protected:

  1. Raise awareness around browser-based attacks, especially those associated with SocGholish, Gootloader, BatLoader, and Nitrogen malware. These tend to follow one of three paths:
    1. Fake Updates – some malware will claim that you need to update your browser, suggesting the user download and execute the browser updates provided. Never do this! Browsers today update on their own behind the scenes.
    2. Search Engine Optimization (SEO) Poisoning – GootLoader favors an attack that takes advantage of users browsing the web looking for business agreement templates and “how to” technical documents. Today, it is best to have a process for document retrieval on the web that allows only trusted sources for download.
    3. Malvertising via Google Ads – Just because the technology you’re looking for is being promoted via a Google Ad, doesn’t mean it’s necessarily safe. Threat actors are now paying for and taking out Google Ads that lead to bogus download sites for known software (such as WinSCP, WireShark, Slack, Telegram, ChatGPT – and the list goes on.)
    4. In the case of the Wiki-Slack attack, be aware that Slack previews can spontaneously generate links that weren’t in the original source material.
  2. Employ endpoint monitoring on your workstations. Employees will inevitably download and execute malware when browsing the internet. Endpoint monitoring can catch execution techniques used by most malware, even when LOLBINs (Trusted Windows Processes) are abused by the malware.
  3. Build cyber resilience into your processes. When ransomware incidents do happen, a human is in the network. Human operators are creative problem solvers and can get around a single layer of security rather easily.
    1. Have a mindset that compromise will happen. Accepted risk is a necessary part of doing business. Being mentally prepared is the first step to becoming organizationally resilient.
    2. Employ minimum trust. Implement Role-Based Access Control (RBAC): Define and assign roles with specific access privileges based on job responsibilities. Limit access to the minimum necessary resources for each role.
    3. Employ continuous Monitoring and Alerting: Implement monitoring and alerting systems to detect suspicious or unauthorized access.
    4. Set up alerts for unusual activities, such as multiple failed login attempts.
    5. Employ logging – when a hands-on intrusion is under way, proper logging can speed investigations up and help shut down attackers hiding in the VPN pool or on devices where endpoint technology isn’t supported.
    6. Practice inventory discovery and assessments, know what technology you have and when to patch it or reconfigure it. Even when a system doesn’t have an official vulnerability, misconfigurations can leave it vulnerable in other ways.
    7. Be ready to rebuild domain controllers.
    8. Be ready to reset all credentials and redeploy device enrollment to reset device tokens.
    9. Have backup systems and processes so that host isolation of critical systems doesn’t cripple production.

If you’re not currently engaged with a Managed Detection and Response (MDR) provider, we highly recommend you partner with us for security services to disrupt threats before they impact your business. Want to learn more? Connect with an eSentire Security Specialist.

eSentire Unit
eSentire Threat Response Unit (TRU)

The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.

Read the Latest from eSentire