How Attackers Exploit In-Band Communications During Breaches

When a cyber incident unfolds, one of the first things incident response teams do is coordinate: sharing findings, assigning tasks, and discussing containment strategies. Most organisations naturally rely on familiar internal tools for this coordination, such as email, collaboration platforms, internal chat systems, and helpdesk ticketing tools.

The problem is that these systems are often part of the environment that may already be compromised.

This creates a dangerous situation where defenders may unknowingly conduct their entire response in communication channels that attackers can monitor. When that happens, attackers gain insight into investigation progress, containment plans, and remediation steps. In effect, defenders may be unintentionally broadcasting their strategy to the adversary.

Understanding how attackers exploit in-band communication during breaches is therefore critical for building more resilient incident response processes.

What “In-Band Communication” Means During an Incident

In the context of cybersecurity incidents, in-band communication refers to coordination that takes place within the same systems or network environment that may be compromised.

Typical in-band communication channels include:

• Corporate email
• Internal messaging platforms
• Collaboration tools
• IT service management systems
• Corporate VoIP or conferencing tools

These tools are convenient because they are already integrated into daily workflows. However, during a breach they can also become surveillance points for attackers.

Security guidance warns that incident communications are highly sensitive and should not be shared in channels attackers might access. If threat actors have compromised internal infrastructure, they may be able to monitor emails, collaboration tools, or network traffic to extract credentials and track incident response activities.

How Attackers Monitor Internal Communications

Modern cyberattacks rarely occur as quick smash-and-grab operations. Instead, many sophisticated attacks follow the advanced persistent threat model, where attackers remain inside a network for extended periods.

During this time, threat actors may:

• Access email servers
• Monitor collaboration platforms
• Capture network traffic
• Collect authentication credentials

Attackers use this visibility to understand how an organisation operates. In business email compromise attacks, for example, criminals often spend weeks observing internal conversations and writing styles before launching fraud attempts.

The same principle applies during a security incident. If attackers are still inside the environment when defenders begin investigating, they may quietly observe internal discussions about the breach.

Exploitation Tactic 1: Monitoring Incident Response Discussions

One of the simplest but most effective attacker tactics is simply watching internal incident response conversations.

If attackers have compromised administrative accounts, email systems, or collaboration platforms, they may be able to read messages exchanged between security teams. This provides them with a real-time view of the investigation.

In some cases attackers may see:

• Which systems have been identified as compromised
• Which accounts are about to be disabled
• Which servers will be isolated
• Which logs or forensic evidence are being reviewed

This allows attackers to react faster than defenders.

Security training materials warn that attackers frequently monitor internal email during incidents to determine whether they have been detected. Once they know they have been discovered, they may escalate privileges, destroy logs, or accelerate data exfiltration.

Exploitation Tactic 2: Impersonating Internal Staff

Another common tactic is impersonating legitimate employees within internal communication platforms.

If attackers gain access to corporate email or messaging accounts, they can send messages that appear to come from trusted colleagues. These messages can disrupt incident response efforts in several ways:

• Issuing false instructions
• Redirecting investigation efforts
• Requesting credentials or system access
• Approving malicious actions

Business email compromise attacks demonstrate how effective impersonation can be. In these cases, criminals impersonate executives or finance staff to convince employees to transfer funds or disclose sensitive information.

During an incident response, similar tactics could involve messages such as:

• “This system has already been checked — focus elsewhere.”
• “Please send the administrator credentials so I can complete the investigation.”
• “Do not isolate that server yet — we still need it for monitoring.”

Because these messages appear to come from legitimate accounts, they can introduce confusion and delay critical response actions.

Exploitation Tactic 3: Manipulating Communication Channels

In more advanced attacks, threat actors do not simply monitor communications — they actively manipulate them.

In one reported case involving the Ragnar Locker ransomware group, attackers infiltrated a company’s incident response chat channel on Microsoft Teams. By gaining access to the same collaboration platform used by responders, they were able to observe the organisation’s internal response discussions.

The attackers later released screenshots of the chat publicly, demonstrating their access and attempting to pressure the victim organisation.

This type of attack can create several problems:

• Psychological pressure on incident responders
• Reduced negotiating leverage in ransomware situations
• Public reputational damage

It also highlights a growing reality in modern cyber incidents: attackers increasingly target communication systems themselves.

Exploitation Tactic 4: Harvesting Credentials from Incident Communications

Incident response often requires rapid changes to systems and credentials. Teams may create temporary accounts, distribute recovery instructions, or share administrative access while coordinating remediation.

If these credentials are transmitted through compromised communication channels, attackers may capture them.

Security researchers have documented cases where recovery credentials were shared via internal email during incidents. Attackers monitoring those communications were able to capture and reuse the credentials to regain access to systems.

This creates a dangerous cycle:

1. Defenders attempt to recover systems
2. Attackers intercept recovery credentials
3. Attackers regain access to the environment

Without secure communication channels, containment efforts may repeatedly fail.

Why This Slows Down Incident Response

When attackers can observe or manipulate incident communications, they gain a significant strategic advantage.

This advantage may include:

• Anticipating defensive actions before they occur
• Destroying or altering forensic evidence
• Accelerating the theft of sensitive data

Large-scale breaches demonstrate how damaging prolonged attacker access can be. For example, the 2015 breach of the United States Office of Personnel Management exposed records belonging to approximately 22.1 million individuals, including sensitive security clearance information.

More recently, the 2024 Snowflake-related breach campaign affected at least 160 organisations and exposed large volumes of sensitive customer data.

While these incidents involved multiple factors, they illustrate a common theme in modern cyberattacks: attackers often maintain access long enough to gather extensive intelligence about their targets.

The Role of Out-of-Band Communication

The most effective way to reduce these risks is to establish out-of-band (OOB) communication channels.

Out-of-band communication refers to coordination that takes place outside the potentially compromised network environment.

Examples include:

• Secure external out-of-band communication platforms
• Dedicated incident response communication tools
• Preconfigured emergency phone bridges
• Offline contact lists for incident responders

The goal is simple: ensure that attackers cannot observe or interfere with incident coordination.

When organisations switch to out-of-band communication early in an incident, they prevent attackers from gaining insight into response strategies.

Best Practices for Secure Incident Communication

Organisations can significantly reduce risk by incorporating communication planning into their incident response strategy.

1. Establish Out-of-Band Channels in Advance

Secure communication channels on an out-of-band platform should be defined before any incident occurs. Attempting to set them up during an active breach can cause delays.

2. Maintain Offline Contact Lists

Incident responders should have access to contact details stored outside corporate systems in case email or internal directories are compromised.

3. Train Teams to Switch Channels Quickly

Security teams should practise switching to out-of-band communication during tabletop exercises or incident simulations.

4. Avoid Sharing Sensitive Data in Compromised Systems

Credentials, forensic findings, and containment plans should not be shared through channels that attackers may control.

5. Limit Incident Details in Internal Notifications

When internal systems must be used, communications should minimise sensitive technical information that could assist attackers.

Conclusion

Communication is one of the most overlooked attack surfaces during a cyber incident.

Organisations often focus heavily on detection, containment, and recovery while overlooking the fact that their communication channels may already be compromised.

When attackers can monitor internal discussions, impersonate staff, or intercept recovery credentials, they gain a significant advantage. In some cases, they may even be able to influence the response itself.

By establishing secure out-of-band communication channels and incorporating them into incident response planning, organisations can prevent attackers from gaining visibility into their defensive strategy.

In modern cyber incidents, how teams communicate can be just as important as how they detect and contain the attack.