Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

10:00 AM
Hitesh Sheth
Hitesh Sheth
Connect Directly
E-Mail vvv

Hidden Dangers of Microsoft 365's Power Automate and eDiscovery Tools

Attackers are using legitimate enterprise tools to execute attacks and carry out malicious actions. Security teams must take action now.

Recently, we have witnessed some of the largest-scale cyberattacks on record. As organizations increasingly embrace hybrid cloud environments, cyberattackers are taking advantage by using privileged access and legitimate applications to execute attacks and carry out malicious actions.

This was brought to the forefront recently with the SolarWinds attack (aka Sunburst), where a compromised software channel pushed out malicious updates to thousands of organizations. This type of attack on an organization's supply chain is difficult to detect because it relies on software that is trusted within an enterprise. Massive multinational cloud providers and government agencies were among those affected. As a result, there is a growing onus on cloud applications' customers to prevent, detect, and mitigate compromises before they can create a widespread breach and havoc within an organization.

Related Content:

Cloud Jacking: The Bold New World of Enterprise Cybersecurity

Special Report: 2021 Top Enterprise IT Trends

New From The Edge: Building Your Personal Privacy Risk Tolerance Profile

With the growing dispersed workforce and rapid adoption of cloud-based applications to accommodate remote workers, Microsoft Office 365, now called Microsoft 365, has become one of the most powerful and widely utilized collaboration and productivity tools in the world, with over 250 million users. However, Microsoft 365 continues to be one of the most challenging and complex environments to monitor and control, despite increased adoption of multifactor authentication (MFA) and other security controls.

Account Takeovers Loom Large
Among the most recent breaches involving Microsoft 365, account takeovers have been the most prevalent attacker technique. In addition, a recent study by my colleagues at Vectra, which examined over 4 million Microsoft 365 accounts, found that 96% of organizations exhibited some type of lateral movement behavior within their environment. This shows that MFA and embedded security controls are being bypassed using malicious OAuth federated authentication service applications.

Power Automate and eDiscovery Compliance Search, application tools embedded in Microsoft 365, have emerged as valuable targets for attackers. The Vectra study revealed that 71% of the accounts monitored had noticed suspicious activity using Power Automate, and 56% of accounts revealed similarly suspicious behavior using the eDiscovery tool.

A follow-up study revealed that suspicious Azure Active Directory (AD) Operation and Power Automate Flow Creation occurred in 73% and 69%, respectively, of monitored environments.

Below is the data shown over time and relative to the total deployments of Microsoft 365.

Source: Vectra AI
Source: Vectra AI

Cybercriminals Turn Legitimate Tools Against Users
Microsoft Power Automate is the new PowerShell, designed to automate mundane, day-to-day user tasks in both Microsoft 365 and Azure, and it is enabled by default in all Microsoft 365 applications. This tool can reduce the time and effort it takes to accomplish certain tasks — which is beneficial for users and potential attackers. With more than 350 connectors to third-party applications and services available, there are vast attack options for cybercriminals who use Power Automate. The malicious use of Power Automate recently came to the forefront when Microsoft announced it found advanced threat actors in a large multinational organization that were using the tool to automate the exfiltration of data. This incident went undetected for over 200 days.

Equally important is eDiscovery Compliance Search, which is an electronic discovery tool that enables users to search for information across all Microsoft 365 content and applications using one simple command. Attackers can use eDiscovery as a data exfiltration tool. For example, a simple search for "password" will bring up results from Microsoft Outlook, Teams, SharePoint, OneDrive, and OneNote.

These legitimate tools are being utilized more and more frequently to execute attacks. For example, the Sunburst attackers used several M365 tools to execute the hack, including Mail Forwarding, Power Automate Flow Creation, eDiscovery Search, and Azure AD Operation.

Below is the frequency of these detections specific to the Sunburst attack:

Source: Vectra AI
Source: Vectra AI

Power Automate and eDiscovery are actively being utilized together across the attack life cycle. Once a threat actor gains access using Power Automate and eDiscovery, they can reconfigure email rules, compromise SharePoint and OneDrive file stores, and set up persistent reconnaissance and exfiltration capabilities in a matter of minutes.

How Security Teams Can Reduce Threats
Opportunities for these types of attacks are massive and continue to grow in prominence. The recent attacks that involve Microsoft 365 highlight the need for security teams to have a consolidated view of all host and account interactions as attackers move between cloud and on-premises environments. By gaining visibility into who and what is accessing data or changing configurations, regardless of how and from where, IT and security teams can drastically reduce the overall risk of a breach. It is critical that enterprises can detect and respond to suspicious logins, malicious app installations, email forwarding rules, and abuse of native Microsoft 365 tooling.

With remote work projected to remain common, this trend will continue in the months and years to come. We can expect attackers to continue to exploit human behavior and use legitimate tools in cloud applications to establish a foothold and remain undetected within target organizations.

Hitesh Sheth is the president and CEO of Vectra. Previously, he held the position of chief operating officer at Aruba Networks. Hitesh joined Aruba from Juniper Networks, where he was EVP/GM for its switching business and before that, SVP for the Service Layer Technologies ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-14
A buffer overflow vulnerability in SonicOS allows a remote attacker to cause a Denial of Service (DoS) by sending a specially crafted request. This vulnerability affects SonicOS Gen5, Gen6, Gen7 platforms, and SonicOSv virtual firewalls.
PUBLISHED: 2021-06-14
magento-scripts contains scripts and configuration used by Create Magento App, a zero-configuration tool-chain which allows one to deploy Magento 2. In versions 1.5.1 and 1.5.2, after changing the function from synchronous to asynchronous there wasn't implemented handler in the start, stop, exec, an...
PUBLISHED: 2021-06-14
net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized.
PUBLISHED: 2021-06-14
Cross-site Scripting (XSS) vulnerability in the main dashboard of Ellipse APM versions allows an authenticated user or integrated application to inject malicious data into the application that can then be executed in a victim’s browser. This issue affects: Hitachi ABB Power Grids ...
PUBLISHED: 2021-06-14
Improper Input Validation vulnerability in Hitachi ABB Power Grids Relion 670 Series, Relion 670/650 Series, Relion 670/650/SAM600-IO, Relion 650, REB500, RTU500 Series, FOX615 (TEGO1), MSM, GMS600, PWC600 allows an attacker with access to the IEC 61850 network with knowledge of how to reproduce the...