Triggers
- An account has congured an internal resource for remote interaction through the use of a Power Automate HTTP Connector.
Possible Root Causes
- An attacker is leveraging Power Automate HTTP connectors to extend malicious access into internal resources.
- In rare cases, a Power Automate HTTP connector is used to enable legitimate external connectors which trigger approved internal actions.
Business Impact
- Adversaries using this technique may gain malicious access to a wide range of internal resources including forms, pages, files, and emails.
- Use of this technique allows an adversary to bypass login and MFA requirements once the Power Automate flow is installed.
Steps to Verify
- Given the risk and relative rarity associated with Power Automate HTTP connectors, the legitimacy of associated flows should be investigated.