M365 Suspicious Power Automate Flow Creation
Detection overview
Triggers
- Power Automate Flow creation has been observed by a user not typically associated with this activity.
Possible Root Causes
- An adversary has leveraged Power Automate as a persistence mechanism inside the environment.
- One of a small set of users who are authorized to perform Power Automate Flow creation has been observed doing so.
Business Impact
- Adversaries using this technique may gain malicious access to a wide range of internal resources including forms, pages, files, and emails.
- Use of this technique may enable persistence or lateral movement, or may be used to establish a means for subsequent data exfiltration.
Steps to Verify
- Power Automate activities from unauthorized users should be immediately investigated
- Users authorized for Power Automate activities should be explicitly triaged in this system to avoid future detections.
M365 Suspicious Power Automate Flow Creation
Possible root causes
Malicious Detection
Benign Detection
M365 Suspicious Power Automate Flow Creation
Example scenarios
M365 Suspicious Power Automate Flow Creation
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
M365 Suspicious Power Automate Flow Creation
Steps to investigate
M365 Suspicious Power Automate Flow Creation
MITRE ATT&CK techniques covered
M365 Suspicious Power Automate Flow Creation
Related detections
No items found.