M365 Suspicious Power Automate Flow Creation

M365 Suspicious Power Automate Flow Creation

Detection overview

Triggers

  • Power Automate Flow creation has been observed by a user not typically associated with this activity.

Possible Root Causes

  • An adversary has leveraged Power Automate as a persistence mechanism inside the environment.
  • One of a small set of users who are authorized to perform Power Automate Flow creation has been observed doing so.

Business Impact

  • Adversaries using this technique may gain malicious access to a wide range of internal resources including forms, pages, files, and emails.
  • Use of this technique may enable persistence or lateral movement, or may be used to establish a means for subsequent data exfiltration.

Steps to Verify

  • Power Automate activities from unauthorized users should be immediately investigated
  • Users authorized for Power Automate activities should be explicitly triaged in this system to avoid future detections.

M365 Suspicious Power Automate Flow Creation

Possible root causes

Malicious Detection

Benign Detection

M365 Suspicious Power Automate Flow Creation

Example scenarios

M365 Suspicious Power Automate Flow Creation

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

M365 Suspicious Power Automate Flow Creation

Steps to investigate

M365 Suspicious Power Automate Flow Creation

Related detections

No items found.

FAQs