During a recent Office 365 assessment, we ran into an interesting situation where Exchange was configured to disallow any external domain forwarding rules. This configuration is intended to prevent attackers from compromising an account and setting up forwarding for remote mail access and persistence. Part of this assessment was to validate that these configurations were properly implemented, and also to look for potential bypasses for this configuration.
Power Automate
As part of the Office 365 environment, we had access to the Power Automate application. Formerly known as Microsoft Flow, Power Automate is a framework for gluing together multiple services for automation tasks within Office 365.
Want to get an email every time someone uploads a file to your shared OneDrive folder? Connect Outlook and OneDrive in Power Automate and set up a flow. I like to think of it as IFTTT for the Microsoft ecosystem.
Forwarding Email
Since we were able to create connections and flows in Power Automate, we decided to connect Power Automate to Office 365 Outlook and create a flow for forwarding email to a NetSPI email address.
You can use the following process to set up external mail forwarding with Power Automate:
1. Under the Data menu, select “Connections”.
2. Select “New Connection” at the top of the window, and find the “Office 365 Outlook” connection.
3. Select “Create” on the connection and authorize the connection under the OAuth pop-up.
4. Navigate to the “Create” section from the left navigation menu, and select “Automated flow”.
5. Name the flow (OutlookForward) and search for the “When a new email arrives (V3)” Office 365 Outlook trigger.
6. Select any advanced options and add a new step.
7. In the added step, search for the Office 365 Outlook connection, and find the “Forward an email (V2)” action.
8. From the “Add dynamic content” link, find “Message Id” and select it for the Message Id.
9. Set your “To” address to the email address that you’d like to forward the message to.
10. Optional, but really recommended – Add one more step “Mark as read or unread (V2)” from the Office 365 Outlook connection, and mark the message as Unread. This will hopefully make the forwarding activity less obvious to the compromised account.
11. Save the flow and wait for the emails to start coming in.
You can also test the flow in the editor. It should look like this:
Taking it further
While forwarding email to an external account is handy, it may not accomplish the goal that we’re going for.
Here are a few more ideas for interesting things that could be done with Power Automate:
Use “Office 365 Users – Search for users (V2)” to do domain user enumeration
Export the results to an Excel file stored in OneDrive
Use the enumerated users list as targets for an email phishing message, sent from the compromised account
Watch an inbox for the template message, use the message body as your phishing email
Connect “OneDrive for Business” and an external file storage provider (Dropbox/SFTP/Google Drive) to mirror each other
When a file is created or modified, copy it to Dropbox
Connect Azure AD with an admin account to create a new user
Trigger the flow with an email to help with persistence.
Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.
Name
Domain
Purpose
Expiry
Type
YSC
youtube.com
YouTube session cookie.
52 years
HTTP
Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.
Name
Domain
Purpose
Expiry
Type
VISITOR_INFO1_LIVE
youtube.com
YouTube cookie.
6 months
HTTP
Analytics cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.
We do not use cookies of this type.
Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.
We do not use cookies of this type.
Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
We do not use cookies of this type.
Cookies are small text files that can be used by websites to make a user's experience more efficient. The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission. This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages.
Cookie Settings
Discover why security operations teams choose NetSPI.