M365 Power Automate HTTP Flow Creation

View all detections
M365 Power Automate HTTP Flow Creation


  • An account has congured an internal resource for remote interaction through the use of a Power Automate HTTP Connector.

Possible Root Causes

  • An attacker is leveraging Power Automate HTTP connectors to extend malicious access into internal resources.
  • In rare cases, a Power Automate HTTP connector is used to enable legitimate external connectors which trigger approved internal actions.

Business Impact

  • Adversaries using this technique may gain malicious access to a wide range of internal resources including forms, pages, files, and emails.
  • Use of this technique allows an adversary to bypass login and MFA requirements once the Power Automate flow is installed.

Steps to Verify

  • Given the risk and relative rarity associated with Power Automate HTTP connectors, the legitimacy of associated flows should be investigated.