Full Report
Cybersecurity researchers have disclosed details of a now-patched vulnerability impacting the Microsoft SharePoint connector on Power Platform that, if successfully exploited, could allow threat actors to harvest a user's credentials and stage follow-on attacks. This could manifest in the form of post-exploitation actions that allow the attacker to send requests to the SharePoint API on behalf
Analysis Summary
# Vulnerability: SSRF in Microsoft SharePoint Connector for Power Platform Leading to Token Leakage
## CVE Details
- CVE ID: Not explicitly provided in the text.
- CVSS Score: Not explicitly provided, but severity is rated as **"Important"**.
- CWE: Server-Side Request Forgery (SSRF).
## Affected Systems
- Products: Microsoft SharePoint Connector used within **Power Platform** ecosystems, including:
* Power Automate
* Power Apps
* Copilot Studio
* Copilot 365
- Versions: Not specified, but applies to versions prior to the December 13 patch.
- Configurations: Exploitation requires the attacker to possess the **Environment Maker role** and the **Basic User role** within the target Power Platform environment.
## Vulnerability Description
The vulnerability is an instance of Server-Side Request Forgery (SSRF) located within the SharePoint connector's "custom value" functionality. This flaw allows an attacker to insert arbitrary URLs into a flow configuration. When this malicious flow is executed by a target user (who must have been socially engineered or tricked into running it), the attacker can potentially leak the user's SharePoint JWT access token. This token allows the attacker to impersonate the user and interact with the SharePoint API, leading to unauthorized access to sensitive data. The scope of impact is widened because the malicious flow/app can interact with other interconnected services like Power Apps and Copilot Studio.
## Exploitation
- Status: Not explicitly stated as exploited in the wild, but details were shared after responsible disclosure.
- Complexity: **Medium** (Requires pre-existing roles: Environment Maker and Basic User).
- Attack Vector: **Network** (Social engineering via crafted apps/flows shared with victims).
## Impact
- Confidentiality: **High** (Leakage of JWT access tokens allowing unauthorized access to sensitive data).
- Integrity: **High** (Ability to send requests on behalf of the impersonated user).
- Availability: Potentially Moderate (Depending on post-exploitation actions).
## Remediation
### Patches
- Microsoft addressed the security hole as of **December 13** (following responsible disclosure in September 2024). Specific patch version numbers were not provided in the text.
### Workarounds
- **Restrict Role Permissions:** Crucially, ensure threat actors cannot obtain the required **Environment Maker role** and **Basic User role** in Power Platform environments.
- **Scrutinize Shared Resources:** Limit the creation and sharing of custom apps/flows, especially those involving the SharePoint connector.
- **User Education:** Alert users about embedded Canvas apps, flows, or Copilot agents that request interaction, particularly if shared unexpectedly (e.g., within Teams channels).
## Detection
- **Indicators of Compromise (IoCs):**
* Unusual external connections or requests originating from internal Power Platform service activity attempting to pull specific tokens or credentials.
* Unauthorized creation or modification of flows/apps by users holding the Environment Maker role.
- **Detection Methods and Tools:**
* Monitoring Power Platform audit logs for anomalous flow execution or resource sharing activity involving users presumed to be legitimate.
* Inspecting network traffic logs for suspicious destinations being reached via Power Platform service endpoints attempting to exfiltrate tokens.
## References
- Vendor advisory (Microsoft, dated December 13 update).
- Zenity Labs Report.
- Relevant context regarding SSRF: [owasp.org/www-community/attacks/Server_Side_Request_Forgery](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery)