Researchers have uncovered a new way to abuse a workflow automation feature in Microsoft 365 to exfiltrate data.
Eric Saraga from cybersecurity firm Varonis discovered how Power Automate, a feature found in Microsoft 365 for Outlook, SharePoint, and OneDrive, can be abused to automatically share or send files, or forward emails, to unauthorized third parties. Not in the fashion of ransomware, but devastating nonetheless.
The premise is simple: Power Automate, a feature that is enabled by default with Microsoft 365 applications, allows users to create their own “flows” – automated cross-app behaviors. To set these behaviors up, the user must first create a connection between two apps, allowing data to flow between the two.