Researchers this week reported that hackers abused a routine automation feature in Microsoft 365 to exfiltrate data, run C2 communications, move laterally, and evade data loss prevention (DLP) products.
In a blog post, Varonis researchers explained that Power Automate — formerly known as Microsoft Flow — lets legitimate users automate workflows between various apps and services. Using the Power Automate feature, a user can create “flows” in Microsoft 365 for Outlook, SharePoint, and OneDrive that automatically share or send files or forward emails.
The Varonis researchers say threat actors can use these Power Automate flows to extract not only emails, but files from SharePoint and OneDrive — it’s even possible to exfiltrate data from other Microsoft 365 applications.
This exploitation illustrates how the interconnected nature of various cloud apps can introduce greater risk to an organization, said Hank Schless, senior manager, security solutions at Lookout. Schless said organizations need to monitor for suspicious activity beyond traditional DLP.
“As Varonis demonstrates, there are Power Automate functions that can circumvent traditional DLP because the actions don’t align with specific rules, such as detecting when an automated email forward is created,” Schless said. “Rather than focusing specifically on the actions, IT and security teams need to use both contextual and content-based rules to secure data from being leaked out of their cloud apps and infrastructure.”
Jason Kent, hacker-in-residence at Cequence Security, said organizations are often worried about an attacker executing malware on their systems that will result in credential dumps or data exfiltration. Many of these attacks are sophisticated and often are extremely noisy, but Kent said the goal of an attack is to get in, create a way to stay and a way to return, and get the information out. Once in, the clock begins to tick for detection because indicators of compromise are often available as breadcrumbs leading to the attacker.
“What if the attacker could just simply utilize legitimate activity, firing it off with very little effort and reducing time on target while still exfiltrating data?” said Kent. “It’s a perfect storm of undetectable data export. Having system-level access that’s often unmonitored to assist in this heist is very compelling. Once the systems are set up, an attacker can monitor every file that they can orchestrate access to. The attacker essentially can email themselves every document the company puts on SharePoint and track every change as well. If organizations aren’t shutting this type of control down, they should. That Microsoft enables this behavior and allows it to bypass their security controls is astounding.”