Persistent Access via Bots

The subject exploits their technical role to deploy or manipulate automated bots within the organization’s environment—most commonly within collaboration platforms (e.g., Slack, Teams, Discord) or internal operational systems (e.g., Jira, ServiceNow, Helpdesk tooling). These bots are designed to persist beyond the subject’s tenure, leveraging independent service credentials (or other credentials not specifically associated to a user), webhook integrations, or unattended workflows to maintain covert access.

The subject may create new bots under the guise of legitimate productivity enhancements, or hijack existing integrations to expand data access, redirect output, or embed hidden monitoring functionality. Once active, these bots operate continuously, harvesting internal conversations, extracting files, or polling sensitive endpoints—often without triggering standard audit alerts tied to user accounts.

Because automation accounts are rarely subject to the same identity governance or offboarding scrutiny as human users, this technique enables long-term persistence, broad data visibility, and operational concealment, facilitating continued access or covert surveillance after the subject’s departure.