The tools are powerful, so it only makes sense that bad actors would target them, no?
The malicious use of Power Automate recently came to the forefront when Microsoft announced it found advanced threat actors in a large multinational organization that were using the tool to automate the exfiltration of data. This incident went undetected for over 200 days.
Equally important is eDiscovery Compliance Search, which is an electronic discovery tool that enables users to search for information across all Microsoft 365 content and applications using one simple command. Attackers can use eDiscovery as a data exfiltration tool. For example, a simple search for “password” will bring up results from Microsoft Outlook, Teams, SharePoint, OneDrive, and OneNote.
Look, we’ve always had this issue in the eDiscovery space, in order to put data on hold, and collect it as part of a lawsuit, someone has to be able to access all of it. That means there has to be an account somewhere with unlimited access to both search, and collect, tons of data from your environment, as necessary.
As important as having the ability to do that when faced with litigation, there is also the danger inherent in having an account, and tools, with that level of access.
Balancing the two isn’t easy. That’s why we all need to do careful monitoring of these kinds of tools, as opposed to just letting them sit there, unwatched.
That way lies chaos.