M365 Power Automate HTTP Flow Creation
Detection overview
Triggers
- An account has congured an internal resource for remote interaction through the use of a Power Automate HTTP Connector.
Possible Root Causes
- An attacker is leveraging Power Automate HTTP connectors to extend malicious access into internal resources.
- In rare cases, a Power Automate HTTP connector is used to enable legitimate external connectors which trigger approved internal actions.
Business Impact
- Adversaries using this technique may gain malicious access to a wide range of internal resources including forms, pages, files, and emails.
- Use of this technique allows an adversary to bypass login and MFA requirements once the Power Automate flow is installed.
Steps to Verify
- Given the risk and relative rarity associated with Power Automate HTTP connectors, the legitimacy of associated flows should be investigated.
M365 Power Automate HTTP Flow Creation
Possible root causes
Malicious Detection
Benign Detection
M365 Power Automate HTTP Flow Creation
Example scenarios
M365 Power Automate HTTP Flow Creation
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
M365 Power Automate HTTP Flow Creation
Steps to investigate
M365 Power Automate HTTP Flow Creation
MITRE ATT&CK techniques covered
M365 Power Automate HTTP Flow Creation
Related detections
No items found.