M365 Power Automate HTTP Flow Creation

M365 Power Automate HTTP Flow Creation

Detection overview

Triggers

  • An account has congured an internal resource for remote interaction through the use of a Power Automate HTTP Connector.

Possible Root Causes

  • An attacker is leveraging Power Automate HTTP connectors to extend malicious access into internal resources.
  • In rare cases, a Power Automate HTTP connector is used to enable legitimate external connectors which trigger approved internal actions.

Business Impact

  • Adversaries using this technique may gain malicious access to a wide range of internal resources including forms, pages, files, and emails.
  • Use of this technique allows an adversary to bypass login and MFA requirements once the Power Automate flow is installed.

Steps to Verify

  • Given the risk and relative rarity associated with Power Automate HTTP connectors, the legitimacy of associated flows should be investigated.
M365 Power Automate HTTP Flow Creation

Possible root causes

Malicious Detection

Benign Detection

M365 Power Automate HTTP Flow Creation

Example scenarios

M365 Power Automate HTTP Flow Creation

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

M365 Power Automate HTTP Flow Creation

Steps to investigate

M365 Power Automate HTTP Flow Creation

Related detections

No items found.

FAQs