Triggers
- Power Automate Flow creation has been observed by a user not typically associated with this activity.
Possible Root Causes
- An adversary has leveraged Power Automate as a persistence mechanism inside the environment.
- One of a small set of users who are authorized to perform Power Automate Flow creation has been observed doing so.
Business Impact
- Adversaries using this technique may gain malicious access to a wide range of internal resources including forms, pages, files, and emails.
- Use of this technique may enable persistence or lateral movement, or may be used to establish a means for subsequent data exfiltration.
Steps to Verify
- Power Automate activities from unauthorized users should be immediately investigated
- Users authorized for Power Automate activities should be explicitly triaged in this system to avoid future detections.