Microsoft developed PowerShell to automate mundane tasks and configurations for Windows. It’s been wildly successful—for both admins AND hackers. Its unique capabilities have made PowerShell the poster child of live-off-the-land (LotL) attacks.
Like PowerShell, Power Automate was also built to automate mundane tasks—this time for Office 365 (O365) users, e.g.
Pretty cool, eh?
Power Automate is on by default in all O365 tenants and comes standard with about 150 connectors. There are also an equal number, if not more, of premium connectors available to purchase as well making countless possibilities.
Think of Power Automate as an interconnected system of legos—you can connect one or more actions to create a limitless variety of flows based on your needs. Bet you’re already imagining the things you can do…
Living off the land in Office 365
When Vectra security researchers started dissecting Office 365 security, Power Automate quickly caught their eye. The more they researched, the more amazed they were with what was possible once they had basic, unprivileged Office 365 access. The usage of Power Automate for live off the land techniques came to the forefront recently when Microsoft research found advanced threat actors in a large multinational organization using it to automate the exfiltration of data, which went undetected for 213 days.
Let’s look at how this can be achieved. The flow starts with a trigger that monitors a OneDrive folder. When a new file is added (can also be done for updates), the flow connects to a personal Dropbox folder and copies the file contents. The owner of the OneDrive folder receives no notifications that this is happening. The transfer is cloud to cloud, so it never touches a network or endpoint security control.
And unlike PowerShell, Power Automate has an intuitive user interface (UI) that makes the setup of this a breeze. Easy, simple and incredibly powerful.
Want to export sensitive emails in addition to files? Just add another Power Automate flow.
Power Automate is great for users—it’s obvious why Microsoft built it. But for security professionals, it’s terrifying. Consider:
We’ve just scratched the surface. In our next blog on Office 365 security, we’ll cover more advanced ways that Power Automate can be used to live off the land in Office 365 and how Office 365 security teams can stay ahead of this threat. Stay tuned!
Vectra Cognito Detect for Office 365 works by analyzing and correlating events like suspicious logins, malicious app installations, email forwarding rules, and abuse of native Office 365 tooling such as Power Automate. To see how security teams leverage it to be alerted before damage is done, check out the datasheet or contact us to learn more and to schedule a demo.
Rohan is the Sr. Director of Product Management at Vectra, running the Cognito Detect and Cognito Detect for SaaS products. He has 15+ years of experience in the network & security industry. He received his MBA from Wharton School of Business where he graduated as a Palmer Scholar. Prior to that, he did his undergraduate in electrical engineering from Indian Institute of Technology (IIT), Delhi and graduate in electrical engineering from USC.