Abnormal Power Automate activity was observed from a user in the environment.
A user leveraged a Power Automate flow connector that was unusual for either the user or the environment.
A user modified another user existing flow in a suspect manner.
Possible Root Causes
An attacker may be creating automated tasks within the environment to secretly exfil, manipulate data for impact, or create network control channels.
A normal user is attempting to subvert normal IT policies by leveraging native Microsoft infrastructure without authorization.
One of a small set of users who are authorized to leverage Power Automate flow was observed doing so.
Business Impact
Power Automate, Microsoft’s native and on-by-default O365 automation tool, can be leveraged by attackers to interact directly with internal data and infrastructure to facilitate data exfil or attack automation.
Steps to Verify
Power Automate activities involving unauthorized connectors should be investigated immediately.
Users modifying other user’s Power Automate flows should have explicit permission to do so.
Users authorized for Power Automate activities should be explicitly triaged to avoid future detections.
M365 Suspect Power Automate Activity
Possible root causes
Malicious Detection
Benign Detection
M365 Suspect Power Automate Activity
Example scenarios
M365 Suspect Power Automate Activity
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Our interactive demo provides a deep dive into the advanced capabilities of our cybersecurity platform, showcasing real-time detection, comprehensive analysis, and proactive threat mitigation.
Don't just read about the possibilities – experience them.