“Who would bother creating malware that targets a niche technology like this anyway?”

In the early days of Dynamics, it was only natural to assume that business software used in a narrow field and small market share wasn’t going to be too lucrative for the bad people to invest time and attention in. Today, Microsoft Power Platform has become a mainstream technology that spans across citizen developer apps, enterprise CRM & ERP systems, and increasingly AI powered Copilot agents as well.

It is already a target - one way or another. A recent malware incident for a popular Power Platform & Dynamics 365 developer browser extension is one example of this.

From Power Pane to Power Malware

Professionals that need to configure, extend, and develop for Power Platform have feature needs that aren’t always met by the tools Microsoft provides them. As a result of both the clear need and the technical development abilities, this audience often likes to create their own tools to make their everyday work more tolerable and efficient.

The Dynamics 365 Power Pane is an example of such a tool. A client-side solution that adds useful menu items for a Dynamics 365 / Power Apps model-driven app. Instead of spending time navigating all over the place to perform actions in the native UI provided by Microsoft, or retrieving raw data via API calls, Power Pane gives the developers a graphical user experience that addresses their productivity needs:

On the surface, everything looks good. The GitHub project has 193 commits, 15 releases, 71 stars, 34 forks. There’s a Patreon for supporting the project. Power Pane has a nice landing page, instructing the visitor to just install the extension on Chrome or Firefox.

Except you can’t install it on Chrome anymore, since Google took it down. Because it was reported to contain malware. Which appears to be true.

The GitHub project has been archived one month ago. There hasn’t been any commits to it for 3 years, but in practice there’s been something else happening behind the scenes. Actions specific to the extensions published to browser web stores. Meaning, something that you couldn’t see from the published source code at all.

There’s an insightful, detailed post of what bigger story this particular incident relates to, published by Wladimir Palant: The Karma connection in Chrome Web Store. I recommend at least browsing through this research work. To understand what kind of actors there are out there, trying to make money via browser extensions and data collection enabled by them:

Long story short: at some point, the original developer of the Power Pane extension had made the unfortunate decision to sell it to someone else. The buyer turned out to be in the malware business, resulting in every single one of the tool’s users getting their browsing history captured and sold to the highest bidder. What else was done with the privileges given to the extension, we will likely never know.

Why does this happen?

The Chrome extension of Dynamics 365 Power Pane had 70,000 weekly active users. This is pretty nice from a project that had allegedly not been updated for 3 years now. Well, apart from adding the malware code into the version available from browser web stores.

Other developers of popular browser extensions in the Power Platform scene have said that they also get occasional emails about whether they’d be willing to sell their extension to a third party. Now, as with any community provided tools that have been published freely for anyone use, one should always ask: what’s the incentive for someone to purchase the rights to such a tool?

If you’re lucky, the result will be merely enshittification of the tool. Maybe the users will be shown ever more ads, in exchange for the features remaining as-is and slowly eroding. Perhaps they’ll be tricked into signing up for some unrelated paid service that now became a prerequisite for using the tool. In any case, all data that can be captured from users will be sold to anyone who’s willing to pay for it.

If you’re unlucky, your software originally developed for the noble cause of giving back to the community will end up being used for even more sinister purposes. Now, it’s giving a backdoor into systems used by major corporations. Instead of merely selling user data, the business model here is to sell the access key to much more valuable data.

Especially with extensions aimed at developers, the user is often interacting with business applications using highly privileged user accounts. If you happen to have sysadmin access not just to the development environments but potentially all the Power Platform / Dynamics 365 environments in the tenant (via tenant-level roles), that’s a mighty interesting identity for attackers. Hijacking the user session from your cookies can provide a way in & allow implanting their own solutions into environments for exfiltrating data on a scheduled basis, for example.

Who’s to blame for such an attack vector? What makes this malware route possible? Fundamentally, the root cause is not having ways to get compensated for the work that delivers tangible value to the community. Relying on voluntary donations isn’t a sustainable source of income for most folks. It’s nice to get downloads and likes, yet they don’t put food on the table. If you have a popular piece of software with a broad install base, creating no revenue but potentially just maintenance work - imagine what happens when one day someone comes along and says “we could give you some money for this”?

Hardly anyone starts with a plan to 1) create an awesome tool, then 2) make money by adding malware into it. People want to help other people. It’s just that the world isn’t always fair. When things happen, the above-mentioned exploitation path can open and create an avenue for darker business models - planned by someone else than the people who want to build awesome tools.

Why we still need the community tools

The simplest way to minimize risks from community developed tools getting injected with malware would of course be to “block all the things!!1!”

The thing is, though: the ecosystem around Power Platform relies on community contributions. Most people today could not get their work done if there wasn’t both content as well as tools that are not shipped by Microsoft. It’s an ecosystem for a reason that goes far beyond the official business relationships of Microsoft partner organizations. Individuals who have received value from the community will in turn want to help others via providing value in their own ways. That’s the virtuous cycle that powers true growth.

Even Microsoft’s own documentation highlights some notable community tools:

When it comes to tools developed by community members, I feel their importance has only grown as the BizApps products have gone mainstream. Sure, MS has bigger teams building the products and they’re rolling out features faster than ever. Yet their focus seems to be on the one shiny thing. While everyone in Redmond is busy building for “the future of work” via AI, who’s going to take care of the work customers need to manage here & today - so that there will be a future for them?

Another factor that underlines the need for community tools is the way MS is trying to cater to a broader user audience, by focusing often on the least experienced users in their UI design. Increasingly, Microsoft is ignoring the needs of the power users and developers when “modernizing” the user interfaces of their tools. One sad example of such is the new security role editor launched inside Power Platform Admin Center. In short, its real-life usability is terrible, because the UI feels like an obstacle for the working on the complex task of security role management.

If you remember what the “legacy” experience for security role editing was, you’ll probably not be praising it for ease of use either. Yet at least we could see more than just 3 rows worth of privileges on a QHD screen at once.

The community can do so much more here. They can design a tool that meets their own needs, because they themselves represent the target user persona. We the Power Platform admins don’t need more white space - we need higher information density. Regardless of Microsoft’s promises to make this a configurable UI setting for the users to adjust, nothing has happened on this front in the Unified Interface development over the years. It simply isn’t a priority for MS, as is validated by one comment on my LinkedIn post about this:

You want better tooling? You gotta build it. And that’s precisely what the community does. The amazing set of XrmToolBox plugins remains the most concrete example of how much value the community members can deliver to each other.

As an example, the recently released _n.RoleEditor by Riccardo Gregori solves not just the information density problem for security role editing but also streamlines many common tasks in role editing. This is what we need - not a “modern” UI that gets in your way.

How do we know that the tools in our ‘Box don’t get injected with malware then? That indeed is the question.

Earning community trust

I don’t believe we’ll be able to solve the problem on a technical level. For as long as parts of the code that we need for working with Power Platform are not managed by Microsoft but rather provided from the community, blocking the possibility of malware entirely would be tough.

Therefore, the answer needs to come from what the community is founded on: trust.

When no contracts and financial transactions exist, the currency of the community is trust between its members. Over time, via your actions in the community, you gain trust from the network of peers. When you are not just an unknown profile on GitHub but rather a person that engages with other community members, trust accumulates on your account over time. Importantly: when you act and communicate like a human being, rather than a GenAI bot, you score more trust points.

How does someone who has not yet engaged with you in the community know that you’re trustworthy? That happens through the validation of other trusted community members. For example, if I choose to amplify the message of someone in the Power Platform ecosystem with my own actions, that clearly implies that I trust them enough to put my credibility on the line. Such microtransactions of trust happen every day and that makes it the “big data” of signals that the community can collectively use to help its members avoid untrustworthy sources of information or software.

As an example, I can honestly say that “everyone I know” trusts the Level up for Dynamics 365/Power Apps browser extension. Knowing the person behind it and his contributions to the community, I have zero doubts that it would ever (intentionally) become a vehicle for distributing malware.

Web store reviews and installation count are one data point that everyone has access to. Now, they aren’t exactly as reliable as the currency of community trust. In these days of app store based business models, the numbers are too easy to intentionally manipulate. It’s particularly unfortunate for those newcomers to the ecosystem who have not yet built their own networks of trusted community members to serve as filters to block out the spam and malware.

Having been part of this community for almost two decades already, it’s easy for me to sometimes forget what it looks like for those who are only joining it today. I have the luxury of a network of trusted individuals that help me evaluate what’s important and which players are trustworthy. If you don’t have that and only can ask Google or ChatGPT for advice, the risks indeed are much higher in choosing the wrong tools or information sources to use.

A key reason I want to write my newsletters and social posts is to make it possible for others to make smart choices. To make sense of all the complex things in our ecosystem. To find those sources of value in the community that deserve everyone’s attention. I’ve been thinking about ways to make this more efficient and scalable. Hopefully soon I can share some plans I have on the next steps in this journey.

The ever-increasing layers of security tech

Technology does play a role in anything related to scaling for higher volumes. Whether it’s caused by more apps or more threats, it’s tough to address the new needs arising from growth without at least some technological solutions to support it. Given what generative AI is capable of already today, even ensuring that a seemingly trustworthy community member isn’t actually a deepfake is an interesting challenge for the online networks where we communicate in.

Just like low-code products have gone mainstream, I feel like the same is happening with Microsoft’s security products. They are no longer the exclusive domain of full-time cybersecurity professionals. Similar to how there are now citizen developers, could our new AI infused world require “citizen security analysts”? At the very least, broader awareness of cybersecurity threats and the available tools and techniques for addressing them may soon become a requirement for all developers of apps and agents.

For the past six months, I’ve consciously attempted to dip my toes into the infosec waters and explore ways to expose myself to the relevant Microsoft products in my daily work. While going through the recent Microsoft Ignite 2024 announcements, I decided to activate one of the new security layers provided by Microsoft Purview in my own tenant. Data Security Posture Management for AI (or “DSPM” like the cool kids call it) includes many features, with one of them being related to activities tracked on the browser level.

This example policy for "detect when users visit AI sites" is based on a browser extension that keeps track of specific website usage. Then if a user visits any of the sites in the public list that MS maintains, that's supposed to trigger an alert in Purview insider risk management.

Similar kinds of browser signals can be collected for several other types of sites and activities. When it comes to malware, known malicious services & software are monitored by Microsoft’s Defender products already today. Maybe the browser extension based attacks will also become harder as the suite of security tools evolves.

Sometimes, protection must extend beyond just the users. In the case of Purview insider risk management, it’s the organization that is seeking protection from risks. When attempting to spot actions where the employee is violating the policies of the employer, relying on voluntary browser extension installation of course won’t be sufficient. Meaning, you’ll need to manage the device and its browsers & profiles in a centralized manner.

No employee has ever been excited about the opportunity to get their PC and phone more tightly controlled by corporate IT. For app makers and developers who need to work with technologies beyond the basic Microsoft 365 apps and common enterprise systems, any hurdles that stop them from leveraging useful community tools will feel like unnecessary obstacles. Like with low-code governance, it’s all about achieving a healthy balance where the different parties can live with the necessary compromises.

There will be new cases of malware discovered in Power Platform related tools. Trying to hide the use of these essential tools isn’t gonna solve that problem. The more eyes we have on tools that are used by developers and admins across the globe, the more we recognize their value, the more support we offer for such projects - the harder it will be for the malicious actors to sneak in without getting caught.