Power Automate Flow Created: Automation Abuse & Data Exfiltration Risk

Power Automate is Microsoft's workflow automation platform, deeply integrated with Microsoft 365. It allows users to create automated flows that connect services, move data, send emails, and trigger actions across the tenant. This capability is powerful for legitimate productivity use — and equally powerful for data exfiltration, persistence, or bypassing security controls.

Overe detects when a new Power Automate flow is created. This is not because every flow is suspicious, but because flows created by compromised accounts or malicious insiders can establish persistent data pipelines that continue operating even after a password reset or session revocation.

A flow that copies all new email attachments to an external service, sends a daily digest of calendar events outside the organisation, or exports SharePoint document changes to a third-party webhook is a data exfiltration tool that runs without any further user interaction.

• Attacker creates a flow from a compromised account that continuously forwards email attachments to an external email address
• Flow created to export OneDrive file changes to external storage, establishing a persistent exfiltration channel
• Calendar data, contact lists, or internal communications automatically synced to a personal or attacker-controlled account
• Flow survives password reset and session revocation because it runs as a scheduled background task
• Insider creates a flow that quietly extracts business data on a scheduled basis before departing the organisation

Power Automate is widely used for legitimate business purposes — approvals, notifications, data synchronisation, and process automation. The detection of a new flow does not indicate a problem on its own.

What warrants investigation is the destination, the data being processed, and the account that created the flow. A flow created by an admin to automate an approval process is different from a flow created outside business hours by a user with no automation history, connecting to a personal email address or external webhook.

Before responding to a Power Automate flow alert:

• Identify who created the flow and whether automation activity is consistent with their role
• Review what the flow does — what triggers it, what data it accesses, and where it sends output
• Check whether the flow connects to any external services or destinations outside the organisation
• Review the account for other indicators of compromise — sign-in anomalies, forwarding rules, or unusual file access
• Confirm with the user or their manager whether the flow was intentionally created for a business purpose
• Check whether the flow has been run since creation and what output it has produced

1. Use Overe to review new Power Automate flows created across the tenant, prioritising flows with external connectors
2. For flows created by potentially compromised accounts, disable the flow immediately and investigate the account
3. For flows with external destinations, confirm with the account owner that the destination is legitimate and approved
4. Review organisational Power Automate data loss prevention policies to restrict high-risk connector types
5. For confirmed malicious flows, delete them and assess what data was transferred
6. Overe can automatically revoke sessions when a Power Automate Flow Created alert fires — configure auto-response in Org Config > Auto-Response

Microsoft: Power Automate data loss prevention policies - https://learn.microsoft.com/en-us/power-platform/admin/wp-data-loss-prevention

Microsoft: Administer Power Automate in your organisation - https://learn.microsoft.com/en-us/power-automate/organization-q-and-a

Microsoft: Monitor flows in your organisation - https://learn.microsoft.com/en-us/power-automate/monitor-manage-processes

• Apps with risky permissions
• Suspicious inbox rules
• Files shared externally
• Dormant apps