What is Power Automate?
Microsoft Power Automate, previously known as Microsoft Flow is a software tool that allows users to create automated workflows between various apps and services.
Microsoft designed the software to help users automate mundane, manual processes in both Microsoft Office 365 and Microsoft Azure, with the final goal being boosting productivity.
Power Automate is enabled by default in all Office 365 applications and comes with about 150 standard connectors. The tool offers an equal number of premium connectors available for purchase to increase automation capabilities.
Power Automate is essentially a version of PowerShell—a scripting/development language where the network users write their own instructions to automate the task. If you have access to the environment, you most likely have access to Power Automate so it is extremely powerful for hackers. It is difficult to detect suspicious script creation because users with admin level access create similar scripts. For example, a hacker could enter the network and create a script to forward all emails from the CFO to a specific email address. It is tough to detect if that specific script is malicious unless security teams go through and read every script.
These types of sophisticated attacks are similar to ones we have seen within the Office 365 network, where hackers use legitimate tools to attack a company.
Power Automate Weaknesses
- The software is on by default with Office 365
- Every user can create their own flows
- Flows can bypass security policies, including data loss prevention (DLP)
- There is no way to turn off individual connectors—it’s all or nothing
- Malicious actors can use Power Automate’s capabilities to create custom, malicious workflows
Power Automate and Cybersecurity
Power Automate’s workflow engine allows users to build custom integrations and automated processes across Office 365 and third-party applications without the help of developers. As useful as the software is, it comes with many potential security vulnerabilities as automation flows can bypass security policies including data loss prevention (DLP).
Power Automate’s wide availability and ease-of-use also makes it a partially useful tool for attackers to orchestrate malicious command-and-control and lateral movement behaviors.
Investigating a Microsoft 365 attack with Power Automate
Attackers exploiting Microsoft 365 will abuse the Power Automate suite to automate their attacks.
Detection events related to the abuse of Power Automate can be remediated quickly with the knowledge Vectra’s Advanced Investigations feature provides.
By setting up connectors for recurring data movements, they enable continuous data theft without manual intervention. Vectra's Advanced Investigations feature aids in swiftly detecting and addressing Power Automate abuse. A Suspect Power Automate Flow Creation alert highlights unusual Power Automate usage. Analysts can investigate further by accessing the account page and utilizing the Instant Investigation tab to review Power Automate activity.
For a more in-depth analysis, teams can use the "Investigate further" action to explore additional details.
Request a demo to see how the Vectra AI platform detects malicious use of Power Automate.
Vectra CDR for Office 365
The importance of keeping a watchful eye on the misuse of user access cannot be overstated given its prevalence in real-world attacks. In the current cybersecurity landscape, security measures like multi-factor authentication are no longer enough to deter attackers. SaaS platforms like Office 365 are a safe haven for attacker lateral movement, making it paramount to focus on user access to accounts and services. When security teams have solid information and expectations about SaaS platforms such as Office 365, malicious behaviors and privilege abuse are much easier to quickly identify and mitigate.
Deployed in minutes without agents, Vectra Cloud Detection and Response for Office 365 gives you visibility of your Office 365 attack surface and allows you to:
- Detect suspicious account activity, such as multiple failed login attempts followed by success, and which accounts were used in both scenarios.
- Be aware of the creation of Power Automate flows, addition of new accounts, and installation of malicious applications
- Discover privilege escalation, including adding users to groups