O365 Suspicious Power Automate Flow Creation

View all detections
O365 Suspicious Power Automate Flow Creation

Triggers

  • Power Automate Flow creation has been observed by a user not typically associated with this activity.

Possible Root Causes

  • An adversary has leveraged Power Automate as a persistence mechanism inside the environment.
  • One of a small set of users who are authorized to perform Power Automate Flow creation has been observed doing so.

Business Impact

  • Adversaries using this technique may gain malicious access to a wide range of internal resources including forms, pages, files, and emails.
  • Use of this technique may enable persistence or lateral movement, or may be used to establish a means for subsequent data exfiltration.

Steps to Verify

  • Power Automate activities from unauthorized users should be immediately investigated
  • Users authorized for Power Automate activities should be explicitly triaged in this system to avoid future detections.