Five Security Lessons From the Lapsus$ Attacks

With the Lapsus$ hacking group back in business following the arrest of key members by London police, organizations need to take a closer look at the tactics this group used to pull off a remarkable string of breaches at major organizations.
As this group has shown, even basic techniques can be extremely effective at penetrating large organizations by focusing on low-hanging fruit. Their proven effectiveness is likely to result in similar attacks by other criminal actors.
Lapsus$ does not appear to use custom malware or novel techniques. Instead, the group is relying on commodity tools and social engineering tactics but using them in creative ways. For instance, the group has been very effective at targeting peripheral users to gain their initial foothold into a company’s network. They also use privilege escalation tactics quite effectively and go beyond email to exploit other communications channels, such as Slack, where it is easier to social engineer employees, find sensitive information and escalate the attack.
Here are five Lapsus$ tactics that companies need to prepare for.

1. Exploiting Trusted Third-Parties

Supply chain attacks of all kinds are becoming more frequent as attackers look for easier ways to bypass robust corporate security posture. As companies reassess their trusted relationships with third parties, it is important to not only focus on systems and technologies but to look at the human risk factor, as well.
The Lapsus$ group has specifically targeted lower-level employees within myriad business partners of large organizations. In particular, they seem to target customer support call centers and help desks as they prepare to launch social engineering attacks. These vendors may not rank at the top of a corporation’s security threat monitoring program, but they clearly are sufficient for establishing a beachhead into the target company. This seems to be what happened in the Okta breach, as Lapsus$ used a compromised employee account at a customer service provider in order to infiltrate Okta’s systems.
A key mistake that companies should avoid is allowing lenient sharing permissions with their business partners.

2. Recruiting Insiders

LAPSUS$ has been actively recruiting corporate insiders (both employees and contractors) to provide credentials and MFA codes, as well as to install remote management tools like AnyDesk. Microsoft has confirmed the group’s recruitment efforts have been successful.
Insider recruitment is a growing threat to organizations and a number of criminal groups are now actively using this tactic, including ransomware gangs like LockBit 2.0 and DemonWare. According to one recent study, a whopping 65% of organizations have had employees targeted for criminal recruitment.
Malicious insiders are a serious security challenge, but companies can reduce their risk by increasing employee access controls and monitoring. Companies should be able to detect unusual network activity, such as large file transfers or downloads, and they should monitor for any red flags in online communications⁠—not only in email but in social media and messaging apps, too.

3. Gaining Access to Messaging Platforms

Credential theft has been a long-running problem for businesses, but until now the risk has largely been centered around email and sensitive access tools like remote desktop protocol (RDP). However, groups like Lapsus$ have shown that attacks can take a more circuitous route by targeting peripheral accounts like messaging platforms and personal emails and working inward from there.

By gaining access to a company’s Slack channel, a hacker is not only able to sift through older files and information shared on the platform, but they are also in a perfect position to carry out social engineering attacks; in particular through conversation hijacking techniques. Slack and other messaging platforms also typically lack the capacity for scanning potentially malicious attachments and links.

4. Pass-the-Cookie Attacks

Hackers like the Lapsus$ group are also exploiting session cookies as a way to gain access to email, messaging clients and other accounts without a password.
These pass-the-cookie attacks present an additional challenge for companies, since they offset the most basic protection for user accounts and remote workers⁠—multifactor authentication. Stolen session cookies are easy to find in dark web marketplaces and often sell for relatively low prices. This is what enabled the attack on Electronic Arts in 2021 (which may have involved a member of Lapsus$), as the hackers gained access to the company’s Slack channel using a stolen cookie and then used social engineering attacks to accomplish a 780 GB data breach.

5. Privilege Escalation

Once LAPSUS$ gains access to a corporate asset, they will look for ways to escalate their privileges within the network. This generally involves two tactics. First, they scan internal systems for unpatched vulnerabilities and look for any secrets exposed on employee-accessible resources (such as internal code repositories and messaging systems). The second tactic is social engineering. If the group can access a messaging system or contact internal support, they will attempt to convince them to reset the password for a more privileged account.
Although privilege escalation is often difficult to identify, especially if the attackers are using social engineering, companies can look for suspicious logins, unusual network communications, aggressive or atypical requests in messaging platforms and malware activity.


Threat groups like Lapsus$ are increasingly targeting the blind spots in otherwise robust corporate cybersecurity programs.
To prevent these types of attacks, organizations need to implement a zero-trust security program that applies to not only third-party technologies but also to employees, contractors and all corporate communications channels. This should include better monitoring tools for all communications, not just email⁠—including Slack, Teams, Zoom, messaging apps like WhatsApp and Telegram and social media like LinkedIn. Organizations also need stronger access controls for both employees and contractors, to limit the damage from account takeover (ATO) attacks and insider recruitment. Security awareness training should also teach employees about new social engineering tactics utilizing other communication platforms, like Slack and LinkedIn.

Avatar photo

Mike Campfield

Mike Campfield, CRO of SafeGuard Cyber (, is a senior executive with more than 20 years of experience in Security, Risk and Information Management, where he has worked for some of the world's top technology companies. Prior to joining SafeGuard Cyber, Campfield held senior leadership positions at ExtraHop, FireEye, Syncplicity, EMC and Documentum.

mike-campfield has 1 posts and counting.See all posts by mike-campfield

Cloud Workload Resilience PulseMeter

Step 1 of 8

How do you define cloud resiliency for cloud workloads? (Select 3)(Required)