Thanks to my friend Jason Velasco for drawing my attention to the article Hidden Dangers of Microsoft 365’s Power Automate and eDiscovery Tools. Hitesh Sheth at is extrapolating from a massive data collection study from 4 million Cognito Detect for Office 365 customers by Vectra. I am not sure that I agree with his red flag alert that hackers are actively using Power Automate and eDiscovery services to find and export highly sensitive files based on suspicious lateral movement behaviors. Many common user and admin actions mimic hacker actions (or vice versa). However, he is right to call out the potential for black hat actors to use these powerful tools to identify and surreptitiously steal passwords, banking information, price lists, employee PII and other critical data assets. This exact scenario happened to a “large multi-national corporation” and went undetected for over 200 days. Microsoft’s Detection and Response Team (DART) found 5 additional, distinct attacker campaigns within the environment when they responded to the breach.

Many of my corporate legal department clients struggle to justify the broad access that Compliance/eDiscovery roles grant them. Almost 20 years ago I put special audit log security into Enterprise Vault’s Discovery Accelerator to ‘protect Legal’ from bad actors who might use DA to spy on exec communications or steal data assets. Withing M365, you can create activity alerts that flag and notify users of compliance center activities like exports. There are a lot of other parameters available on these alerts to detect a bad actor. Since my area of expertise is eDiscovery and Info Gov, I will encourage my Security export friends to write up those alerts and publish them for us all. But the alert process looks pretty simple to identify search/export actions for specific eDiscovery users and send them an email alert. M365 eDiscovery exports are pretty slow, especially for any sizeable volumes. An unexpected alert would allow your legal staff to call security and lock down the export Azure location fast.

My one caveat is dealing with the eDiscovery platforms that have M365 integrations for placing holds and running collections. I have spoken with many of these providers since my recent alert on the search issue that may have affected SharePoint/OneDrive targets. These integrations would look like an external hacker to security policies. So I recommend that you include Security in implementation planning so that they can architect appropriate monitoring rules in the event that your cloud service is hacked and used to against your M365 data. Legal should not be directly responsible for security, compliance, records or other corporate functions. All of these oversight roles do require good communication and coordination so that everyone understands and accommodates their differing requirements and workflows. That role as interdepartmental coordinator and translator keeps me busy. Find your own internal/external facilitator to bring stakeholders together.

Greg Buckles wants your feedback, questions or project inquiries at Contact him directly for a free 15 minute ‘Good Karma’ call. He solves problems and creates eDiscovery solutions for enterprise and law firm clients.

Greg’s blog perspectives are personal opinions and should not be interpreted as a professional judgment or advice. Greg is no longer a journalist and all perspectives are based on best public information. Blog content is neither approved nor reviewed by any providers prior to being posted. Do you want to share your own perspective? Greg is looking for practical, professional informative perspectives free of marketing fluff, hidden agendas or personal/product bias. Outside blogs will clearly indicate the author, company and any relevant affiliations. 


See Greg’s latest pic on Instagram.

0 0 votes
Article Rating