M365 Suspect Power Automate Activity

View all detections
M365 Suspect Power Automate Activity


  • Abnormal Power Automate activity was observed from a user in the environment.
  • A user leveraged a Power Automate flow connector that was unusual for either the user or the environment.
  • A user modified another user existing flow in a suspect manner.

Possible Root Causes

  • An attacker may be creating automated tasks within the environment to secretly exfil, manipulate data for impact, or create network control channels.
  • A normal user is attempting to subvert normal IT policies by leveraging native Microsoft infrastructure without authorization.
  • One of a small set of users who are authorized to leverage Power Automate flow was observed doing so.

Business Impact

  • Power Automate, Microsoft’s native and on-by-default O365 automation tool, can be leveraged by attackers to interact directly with internal data and infrastructure to facilitate data exfil or attack automation.

Steps to Verify

  • Power Automate activities involving unauthorized connectors should be investigated immediately.
  • Users modifying other user’s Power Automate flows should have explicit permission to do so.
  • Users authorized for Power Automate activities should be explicitly triaged to avoid future detections.