Researchers have discovered a new way to abuse a workflow automation feature in Microsoft 365 to exfiltrate data.

Eric Saraga of cybersecurity firm Varonis discovered how Power Automate, a Microsoft 365 feature for Outlook, SharePoint and OneDrive, can be misused to share or automatically send files or forward emails to third parties Not allowed. Not in the form of ransomware, but devastating.

The premise is simple: Power Automate, a feature enabled by default with Microsoft 365 Apps, lets users create their “flows”—automated behaviors between apps. To configure these behaviors, the user must first create a connection between 2 applications, which allows data to flow between the 2.

Simulate an Azure app

Similar to email forwarding, Saraga explains, these transmissions can be used to extract emails, such as files from SharePoint and One Drive. The ability to filter data from other Microsoft 365 apps, including MSGraph, still exists, she added.

Saraga also explains 2 methods by which broadcasts can be abused: one involves gaining direct access to the victim's endpoint, while the other requires lying to the victim in order to get them to download a fake Azure app.

The first procedure is somewhat more difficult to incorporate, but it is also more daunting.

“Creating streams can be done programmatically using the streams API. While there is no dedicated Power Automate API, flow endpoints can be used to query existing connections and create a flow,” he explains.

"When a Microsoft 365 account is compromised, attackers can simply run a command that will cause incoming reserved data to be leaked, without the need to manually create the Power Automate flow."

The second procedure, lying to the victim in order to download the app, comes with a warning. When the user gives his permission to run the malicious app, he will have the necessary permissions to create a broadcast. However, there is no way to create a new connection using the app. The attacker can only use existing connections, which means that Azure applications for this attack limit malicious actors to users who have established certain connections.

"The most foolproof procedure would be to use the user credentials or an authentication token from Power Automate," he concludes.

One way to mitigate the threat, Saraga says, is to monitor behaviors.

“Behavior-based alarms are also extremely effective at warning when a user is infected with malware that operates in the user's context. It's really hard for attackers to mimic a user's normal daily behavior," she concluded.

Share This