I have discovered that all the lockdowns in o365 for forwarding emails outside of my organisation do not apply to power automate emails, now that the users can easily get an automated template that allows them to flat forward their mailbox out to their gmail accounts, we are concerned about data leakage with no way to detect it, this would also allow an attacker to get future emails after an account has been compromised, such as a password reset email. As power automate impersonates the user all emails appear to be legit emails going to an external account. A detailed run through of the issue can be found here: https://practical365.com/exchange-online/the-problem-with-flow-for-exchange-admins/ I need to know how to detect that power automate is sending data out, either by something being added into the header for tracking or an audit log of automate hitting the mailbox via the api and generating/sending the email. As detailed in the article the above is not possible at this stage. I would like at the very least a way to scope or block any domains except a list of internal domains from being able to be added into the to field, this would ensure only internal relay/accepted domains are able to be selected to prevent data leakage when the Actions SendEmail V2 or V3 is selected in a power automate(flow) rule.

Ideas Administrator

Power Platform now support SMTP header based email exfiltration blocking for O365 Outlook connector - https://docs.microsoft.com/en-us/power-platform/admin/block-forwarded-email-from-power-automate



This issue is quiet significant and need urgent attention.Please assist

Category: Automation and Tooling for Administrators