Microsoft Teams: Workflows within File Chiclet

🚨 The Signal: Teams now allows users to run and create workflows directly from file menus. This increases the attack surface for malicious automation and data exfiltration via compromised accounts or rogue workflows.

The Impact

All Teams users are affected, increasing the risk of data exfiltration and unauthorized automation if not properly governed.

• End Users: Risk of inadvertently triggering malicious workflows.
• Security Teams: Increased attack surface for data exfiltration and unauthorized automation.
• Admins: New vectors for data loss and compliance breaches to monitor.
• Compliance Teams: Potential for data handling policy violations via new workflows.

The Action

1. Review existing Power Automate DLP policies in the Power Platform admin center (admin.powerplatform.microsoft.com).
2. Create new DLP policies to restrict connectors and actions for Power Automate in Teams.
3. Implement tenant-wide or environment-specific restrictions on custom connectors.
4. Educate users on safe workflow practices and reporting suspicious automation.
5. Monitor Power Automate audit logs for unusual workflow creation or execution.

Domain: Teams · Impact: high · Workload: Teams · Essential Eight: User Application Hardening · ISM: ISM-1412, ISM-1485, ISM-1486, ISM-1542, ISM-1585, ISM-1667, ISM-1668, ISM-1669, ISM-1670, ISM-1823, ISM-1824, ISM-1859, ISM-1860