Researchers have uncovered a new way to abuse a workflow automation feature in Microsoft 365 to exfiltrate data.
Eric Saraga from cybersecurity firm Varonis discovered how Power Automate, a feature found in Microsoft 365 for Outlook, SharePoint, and OneDrive, can be abused to automatically share or send files, or forward emails, to unauthorized third parties. Not in the fashion of ransomware, but devastating nonetheless.
The premise is simple: Power Automate, a feature that is enabled by default with Microsoft 365 applications, allows users to create their own “flows” – automated cross-app behaviors. To set these behaviors up, the user must first create a connection between two apps, allowing data to flow between the two.
Faking an Azure app
In a fashion similar to forwarding emails, Saraga explains, these flows can be used to extract emails, as well as files from SharePoint and One drive. There is even the possibility to exfiltrate data from other Microsoft 365 applications, including MSGraph, he added.
Saraga also explains two methods with which flows can be abused: one is by having direct access to the victim’s endpoint, while the other one requires tricking the victim into downloading a fake Azure application.
The first method is somewhat harder to pull off, but is also more devastating.
“Creating flows can be done programmatically using the flow API. Although there’s no dedicated Power Automate API, the flow endpoints can be used to query for existing connections and to create a flow,” he explains.
“Once a Microsoft 365 account is compromised, attackers can simply execute a command that will leak sensitive data coming in, without the need to manually create the Power Automate flow.”
The second method – tricking the victim into downloading the app – comes with a caveat. Once the user consents to running the malware app, it will have the necessary permissions to create a flow. However, there is no way to create a new connection using the app. The attacker can onl use existing connections, meaning Azure applications for this attack limit the malicious actors to users who have already made certain connections.
“The more fool-proof method would be to use the user’s credentials or a Power Automate authentication token,” he concludes.
One of the ways to mitigate the threat, Saraga explains, is to monitor for behaviors.
“Behavior-based alerts are also extremely effective at detecting when a user is infected with malware that is operating under the user’s context—it’s very hard for attackers to emulate a user’s normal day-to-day behavior,” he concluded.
English
Arabic
Belarusian
Bengali
Bosnian
Bulgarian
Chinese (Simplified)
Croatian
Czech
Danish
Dutch
Estonian
Filipino
Finnish
French
Georgian
German
Greek
Gujarati
Hausa
Hebrew
Hindi
Hmong
Hungarian
Igbo
Indonesian
Italian
Japanese
Javanese
Kazakh
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latvian
Lithuanian
Macedonian
Malagasy
Norwegian
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Serbian
Slovak
Slovenian
Spanish
Swedish
Thai
Turkish
Ukrainian
Vietnamese
Yoruba