Blog - article

Office 365 Security: Power Automate is the New PowerShell

Office 365 Security: Power Automate is the New PowerShell

Office 365 Security: Power Automate is the New PowerShell

Rohan Chitradurga
June 29, 2020

Microsoft developed PowerShell to automate mundane tasks and configurations for Windows. It’s been wildly successful – for both admins AND hackers. Its unique capabilities have made PowerShell the poster child of live-off-the-land (LotL) attacks.

Like PowerShell, Power Automate was also built to automate mundane tasks – this time for Office 365 (O365) users, e.g.

  • Save email attachments to OneDrive for Business
  • Record form responses in SharePoint
  • Create to-do tasks for flagged Office 365 emails

Pretty cool, eh?

Power Automate is on by default in all O365 tenants and comes standard with about 150 connectors. There are also an equal number, if not more, of premium connectors available to purchase as well making countless possibilities.

Figure 1: Standard PowerAutomate connectors

Think of Power Automate as an interconnected system of legos – you can connect one or more actions to create a limitless variety of flows based on your needs. Bet you’re already imagining the things you can do…

Living off the land in Office 365

When Vectra security researchers started dissecting O365 security, Power Automate quickly caught their eye. The more they researched, the more amazed they were with what was possible once they had basic, unprivileged O365 access. The usage of Power Automate for live off the land techniques came to the forefront recently when Microsoft research found advanced threat actors in a large multinational organization using it to automate the exfiltration of data, which went undetected for 213 days.

Let’s look at how this can be achieved. The flow starts with a trigger that monitors a OneDrive folder. When a new file is added (can also be done for updates), the flow connects to a personal Dropbox folder and copies the file contents. The owner of the OneDrive folder receives no notifications that this is happening. The transfer is cloud to cloud, so it never touches a network or endpoint security control.

And unlike PowerShell, Power Automate has an intuitive UI that makes the setup of this a breeze. Easy, simple and incredibly powerful.

Figure 2: Power Automate flow to copy files to Dropbox

Want to export sensitive emails in addition to files? Just add another Power Automate flow.

Figure 3: Power Automate flow to copy all emails to Dropbox

Power Automate is great for users - it’s obvious why Microsoft built it. But for security professionals, it’s terrifying. Consider:

  • It's on by default
  • Every user can create their own flows
  • Flows can bypass security policies, including DLP
  • There is no way to turn off individual connectors – it’s all or nothing
  • Attackers can sign up for free trials to get access to premium connectors that do even more

We’ve just scratched the surface. In our next blog on Office 365 security, we’ll cover more advanced ways that Power Automate can be used to live off the land in O365 and how O365 security teams can stay ahead of this threat. Stay tuned!

Vectra Cognito for Office 365 works by analyzing and correlating events like suspicious logins, malicious app installations, email forwarding rules, and abuse of native Office 365 tooling such as Power Automate. To see how security teams leverage it to be alerted before damage is done, check out the datasheet or contact us to learn more and to schedule a demo.

About the author

Rohan Chitradurga

Rohan is the Sr. Director of Product Management at Vectra, running the Cognito Detect and Cognito Detect for SaaS products. He has 15+ years of experience in the network & security industry. He received his MBA from Wharton School of Business where he graduated as a Palmer Scholar. Prior to that, he did his undergraduate in electrical engineering from Indian Institute of Technology (IIT), Delhi and graduate in electrical engineering from USC.

Author profile and blog posts

Most recent blog posts from the same author

Security operations

Don’t do it: Rolling your own production Zeek deployment

May 15, 2019
Read blog post
Threat detection

Office 365 Security: Power Automate is the New PowerShell

June 29, 2020
Read blog post
Threat detection

Office 365のセキュリティ、Power Automateは新しいPowerShellである 

June 29, 2020
Read blog post