Modern Adversary TTPs: The Rise of 'Read Teaming'

The New Reality of Modern Attacks

If you're still thinking about security in terms of malware and exploits, you're fighting yesterday's war. Modern attackers have long since discovered something simpler and far more effective: your own documentation.

These techniques, while not novel, have been jokingly referred to as "Read Teaming" due to the nature of the actions taken by adversaries - primarily focused on spending large amounts of time reading through internal knowledge and document stores.

According to Mandiant's M-Trends 2025 report, cloud and SaaS components were present in almost every frontline engagement in 2024, with stolen credentials becoming the second-most common initial infection vector at 16%.

After analyzing dozens of modern breaches, we've watched the attack landscape shift dramatically. Groups like Lapsus$ and Scattered Spider have proven something uncomfortable: you don't need sophisticated malware when you have valid credentials and patience to read.

What Modern "Read Teaming" Looks Like

Here's what a modern "Read Team" attack looks like:

1. Initial Access via Social Engineering

• Call help desk pretending to be an employee
• "I'm locked out of my Okta, can you help?"
• Get MFA reset or temporary access granted

2. The Reading Phase

• Search Confluence: "password", "credential", "access", "apikey", "secret"
• Check Slack: public channels and search (Slack Search supports searching images with OCR)
• Browse JIRA: IT tickets often contain plaintext creds
• Clone repos: .env files, hardcoded secrets, CI/CD tokens

3. Privilege Escalation Through Documentation

• Find runbooks with step-by-step privilege escalation
• Discover "break glass" procedures with admin creds
• Locate architecture diagrams showing critical systems
• Ocassionally, exploiting SaaS applications due to misconfigurations
  • The often lack of configured telemetry and detection engineering makes it a prime target for escalation without detection

These attacks target:

• Source Code Repositories (GitHub, GitLab, BitBucket)
• Internal Documentation (Confluence, Google Docs, SharePoint)
• IT Support Ticketing Systems (Jira, ServiceNow)
• Collaboration Platforms (Slack, Microsoft Teams)

Real-World Examples

The Lapsus$ group, active from 2021-2022, successfully breached Microsoft, Nvidia, Samsung, and Okta using these exact techniques. Their March 2022 breach of Microsoft resulted in the theft of source code for Bing, Cortana, and other products - all without deploying traditional malware, besides information stealers.

According to Permiso's research on LUCR-3 (overlapping with Scattered Spider/UNC3944), these groups have refined the "Read Team" approach to an art form:

Scattered Spider took this further, combining social engineering with deep internal knowledge gathering where they would:

• Understand the organization, its people, processes, and technology
• Identify what and where the crown jewels are through reading internal documentation
• Search for credentials in these knowledge stores without detection

Technical Deep Dive: Attack Patterns

Based on incident response data and threat intelligence, here are specific techniques observed:

Initial Access Methods:

Technique: Credential Purchase

• Buy from Dark Web marketplaces
• Target identities with elevated privileges (Developers, System Administrators, etc.)
• Match geolocation to avoid impossible travel alerts

Technique: MFA Fatigue

• Spam push notifications
• Wait for user to accept
• Often successful during off-hours

Why Traditional Security Can't See This

The fundamental problem? These attacks look like normal user behavior.

Endpoint Detection and Response (EDR) products are designed to detect and respond to malicious activity. Likewise, other security solutions for the cloud and network are designed to detect and respond to malicious activity, not find needles in the haystack.

Detection Blind Spots:

• No Malware = No Detection

  • Fileless attacks that do not leave a footprint on the endpoint

• Seemingly Legitimate Access Patterns and Usage

  • User accessing Confluence
  • Cloning GitHub repos
  • Downloading documentation
  • Reading Slack history
  • S3 Browser usage

From the trenches: During a Red Team engagement, time and time again we have compromised Fortune 500 enterprises using nothing but browser access and patience. No malware, no exploits - just reading internal business applications and knowledge stores, building a picture of the organization and its operations. Unsurprisingly, the security teams on these engagements were not able to detect this type of activity, and as a result, we were able to achieve our objective without raising a single alert!

The Detection Gap: Where Deception Fits In

By planting deceptive resources throughout internal repositories, we no longer rely on costly and complex detection solutions to identify unauthorized activity and access that looks like normal user behavior.

For example:

• Honey tokens in wiki pages (monitored credentials)
• Fake AWS access keys in documentation
• Decoy Slack channels with monitoring
• Canary documents in SharePoint
• False entries in password managers
• Injecting fake credentials into browser stores

The Uncomfortable Truth

The shift to "Read Teaming" represents a fundamental change in the threat landscape. Attackers realized something we should have seen coming: why risk detection deploying malware when organizations freely document every secret, every process, every vulnerability in searchable, indexed platforms?

Your next breach probably won't come from a zero-day exploit or sophisticated malware. It'll come from someone patient enough to read your documentation and smart enough to use your own runbooks against you.

---

Have you seen evidence of "Read Teaming" in your environment? The indicators are subtle, but they're there. Look for unusual patterns in your collaboration tools - the next breach might be hiding in your access logs, not your EDR.