Triggers
- Abnormal Power Automate activity was observed from a user in the environment.
- A user leveraged a Power Automate flow connector that was unusual for either the user or the environment.
- A user modified another user existing flow in a suspect manner.
Possible Root Causes
- An attacker may be creating automated tasks within the environment to secretly exfil, manipulate data for impact, or create network control channels.
- A normal user is attempting to subvert normal IT policies by leveraging native Microsoft infrastructure without authorization.
- One of a small set of users who are authorized to leverage Power Automate flow was observed doing so.
Business Impact
- Power Automate, Microsoft’s native and on-by-default O365 automation tool, can be leveraged by attackers to interact directly with internal data and infrastructure to facilitate data exfil or attack automation.
Steps to Verify
- Power Automate activities involving unauthorized connectors should be investigated immediately.
- Users modifying other user’s Power Automate flows should have explicit permission to do so.
- Users authorized for Power Automate activities should be explicitly triaged to avoid future detections.