M365 Suspect Power Automate Activity
Detection overview
Triggers
- Abnormal Power Automate activity was observed from a user in the environment.
- A user leveraged a Power Automate flow connector that was unusual for either the user or the environment.
- A user modified another user existing flow in a suspect manner.
Possible Root Causes
- An attacker may be creating automated tasks within the environment to secretly exfil, manipulate data for impact, or create network control channels.
- A normal user is attempting to subvert normal IT policies by leveraging native Microsoft infrastructure without authorization.
- One of a small set of users who are authorized to leverage Power Automate flow was observed doing so.
Business Impact
- Power Automate, Microsoft’s native and on-by-default O365 automation tool, can be leveraged by attackers to interact directly with internal data and infrastructure to facilitate data exfil or attack automation.
Steps to Verify
- Power Automate activities involving unauthorized connectors should be investigated immediately.
- Users modifying other user’s Power Automate flows should have explicit permission to do so.
- Users authorized for Power Automate activities should be explicitly triaged to avoid future detections.
M365 Suspect Power Automate Activity
Possible root causes
Malicious Detection
Benign Detection
M365 Suspect Power Automate Activity
Example scenarios
M365 Suspect Power Automate Activity
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
M365 Suspect Power Automate Activity
Steps to investigate
M365 Suspect Power Automate Activity
MITRE ATT&CK techniques covered
M365 Suspect Power Automate Activity
Related detections
No items found.