M365 Suspect Power Automate Activity
Detection overview
The "M365 Suspect Power Automate Activity" detection identifies potentially unauthorized or unusual activities involving Microsoft Power Automate, an Office 365 tool used to create automated workflows. This detection helps identify when Power Automate is used for data exfiltration, automation of attack mechanisms, or actions that bypass typical user policies.
Triggers
- Abnormal Power Automate activity was observed from a user in the environment.
- A user leveraged a Power Automate flow connector that was unusual for either the user or the environment.
- A user modified another user existing flow in a suspect manner.
Possible Root Causes
- An attacker may be creating automated tasks within the environment to secretly exfil, manipulate data for impact, or create network control channels.
- A normal user is attempting to subvert normal IT policies by leveraging native Microsoft infrastructure without authorization.
- One of a small set of users who are authorized to leverage Power Automate flow was observed doing so.
Business Impact
- Power Automate, Microsoft’s native and on-by-default O365 automation tool, can be leveraged by attackers to interact directly with internal data and infrastructure to facilitate data exfil or attack automation.
Steps to Verify
- Power Automate activities involving unauthorized connectors should be investigated immediately.
- Users modifying other user’s Power Automate flows should have explicit permission to do so.
- Users authorized for Power Automate activities should be explicitly triaged to avoid future detections.
M365 Suspect Power Automate Activity
Possible root causes
Malicious Detection
An attacker who has gained access to an account may create or alter Power Automate flows to facilitate data exfiltration, automate repetitive attack actions, or establish control channels that allow for persistence and lateral movement. This tactic bypasses standard monitoring tools and can interact directly with internal data and services.
Benign Detection
In legitimate scenarios, users might create or adjust Power Automate workflows as part of regular business operations, such as automating report generation or integrating different applications. However, unusual usage patterns or unauthorized use can raise alerts, especially if it deviates from normal user behavior.
M365 Suspect Power Automate Activity
Example scenarios
1. Unauthorized flow creation for data transfer
An attacker modifies an existing Power Automate workflow to send data to an external service, disguising it as part of normal business operations.
2. Internal user testing security limits
A user without sufficient authorization creates complex flows that trigger security mechanisms, prompting an investigation.
M365 Suspect Power Automate Activity
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Data Exfiltration Risk
Malicious Power Automate flows can enable attackers to transfer sensitive information outside the organization, leading to data breaches.
Operational Integrity Threats
Power Automate workflows manipulated by an attacker can impact the organization by automating harmful actions, such as sending misleading communications or changing data.
Increased Persistence Opportunities
The ability to automate and schedule tasks provides attackers a foothold for maintaining long-term access.
M365 Suspect Power Automate Activity
Steps to investigate
Review Power Automate Flow Details
Examine the connectors and actions within the flow to identify any unusual patterns that do not align with expected user behavior.
Analyze User Access and Permissions
Confirm that the user modifying or creating flows has the proper authorization and that no unauthorized changes were made.
Check Prior Activities
Investigate any recent logins or modifications to understand if the user’s account has been compromised or used as part of an attack sequence.
Monitor for Subsequent Activities
Track if any data exfiltration or additional automated tasks occur after the creation or modification of suspicious Power Automate workflows.
M365 Suspect Power Automate Activity
MITRE ATT&CK techniques covered
M365 Suspect Power Automate Activity
Related detections
FAQs
Why is Power Automate used maliciously?
Attackers exploit its powerful automation capabilities to interact with internal resources, bypass security checks, and conduct operations covertly.
What should I do if suspicious activity is detected?
Immediately review the flow's details, contact the involved user, and investigate any linked activities for potential compromise.
Are logs available for Power Automate activity?
Yes, Office 365 provides audit logs that can be used to review flow creation, modification, and execution.
What types of data are most at risk?
Data stored in connected services like SharePoint, OneDrive, and email content could be targeted by malicious workflows.
Is this detection part of a larger threat?
Often, yes. It may be associated with other tactics involving lateral movement, data collection, or external C2 channels.
How can I determine if Power Automate use is legitimate?
Check the user's history and roles to confirm if using Power Automate aligns with their job responsibilities.
Can benign users trigger this detection?
Yes, if a legitimate user performs an unusual or novel workflow action that deviates from typical patterns.
Is there a way to prevent unauthorized Power Automate usage?
Implement role-based access control, monitor audit logs, and restrict connectors as necessary.
Can Power Automate be used for command execution?
Yes, it can execute scripts or call external services that perform command-like actions.
What tools can detect and mitigate these actions?
Solutions with deep Microsoft 365 integration, including advanced threat protection and audit capabilities, help monitor and control Power Automate activities.