Microsoft’s Power Automate received a bunch of new features in 2021. Along with the increased power of enabling end users to create multi-step, automated workflows across various applications and services comes the increased risk that these features bring along with them.
Power Automate is enabled by default in Microsoft 365. It allows any user to create their own workflows across Outlook, Sharepoint, OneDrive, and more. With these controls left in place, an attacker with stolen credentials or a Power Automate authentication token could use the same tools to automate data extraction of emails and files without any user interaction at all. This type of invisibility to the end user is similar to auto-forwarding email rules that attackers are known to setup within Outlook, though on a much wider and more dangerous scale due to the implementation of multiple applications.
So what should you do to protect yourself? Short of disabling the feature entirely, behavior-based alerts can be effective at detecting when a user’s actions are the result of scripted malware, rather than the work of human hands. Monitoring Active Directory logins is a useful prevention tactic for many attacks, but Azure AD specifically logs authentications made to the Power Automate resource (called the “Microsoft Flow Service”) and can be configured to alert when abnormalities are detected. Monitoring flow activity within Power Automate itself will help, and if there isn’t a specific business requirement, consider blocking all emails forwarded with Power Automate. Directions for this can be found here: https://docs.microsoft.com/en-us/power-platform/admin/block-forwarded-email-from-power-automate
Varonis Threat Report: https://www.varonis.com/blog/power-automate-data-exfiltration
