Microsoft developed PowerShell to automate mundane tasks and configurations for Windows. It’s been wildly successful—for both admins AND hackers. Its unique capabilities have made PowerShell the poster child of live-off-the-land (LotL) attacks.
Like PowerShell, Power Automate was also built to automate mundane tasks—this time for Office 365 (O365) users, e.g.
- Save email attachments to OneDrive for Business
- Record form responses in SharePoint
- Create to-do tasks for flagged Office 365 emails
Pretty cool, eh?
Power Automate is on by default in all O365 tenants and comes standard with about 150 connectors. There are also an equal number, if not more, of premium connectors available to purchase as well making countless possibilities.
Think of Power Automate as an interconnected system of legos—you can connect one or more actions to create a limitless variety of flows based on your needs. Bet you’re already imagining the things you can do…
Living off the land in Office 365
When Vectra security researchers started dissecting Office 365 security, Power Automate quickly caught their eye. The more they researched, the more amazed they were with what was possible once they had basic, unprivileged Office 365 access. The usage of Power Automate for live off the land techniques came to the forefront recently when Microsoft research found advanced threat actors in a large multinational organization using it to automate the exfiltration of data, which went undetected for 213 days.
Let’s look at how this can be achieved. The flow starts with a trigger that monitors a OneDrive folder. When a new file is added (can also be done for updates), the flow connects to a personal Dropbox folder and copies the file contents. The owner of the OneDrive folder receives no notifications that this is happening. The transfer is cloud to cloud, so it never touches a network or endpoint security control.
And unlike PowerShell, Power Automate has an intuitive user interface (UI) that makes the setup of this a breeze. Easy, simple and incredibly powerful.
Want to export sensitive emails in addition to files? Just add another Power Automate flow.
Power Automate is great for users—it’s obvious why Microsoft built it. But for security professionals, it’s terrifying. Consider:
- It's on by default
- Every user can create their own flows
- Flows can bypass security policies, including data loss prevention (DLP)
- There is no way to turn off individual connectors—it’s all or nothing
- Attackers can sign up for free trials to get access to premium connectors that do even more
We’ve just scratched the surface. In our next blog on Office 365 security, we’ll cover more advanced ways that Power Automate can be used to live off the land in Office 365 and how Office 365 security teams can stay ahead of this threat. Stay tuned!
Vectra Detect for Office 365 works by analyzing and correlating events like suspicious logins, malicious app installations, email forwarding rules, and abuse of native Office 365 tooling such as Power Automate.