Power Automate Flow Created: Automation Abuse & Data Exfiltration Risk

Why this risk matters

Power Automate is Microsoft's workflow automation platform, deeply integrated with Microsoft 365. It allows users to create automated flows that connect services, move data, send emails, and trigger actions across the tenant. This capability is powerful for legitimate productivity use — and equally powerful for data exfiltration, persistence, or bypassing security controls.

Overe detects when a new Power Automate flow is created. This is not because every flow is suspicious, but because flows created by compromised accounts or malicious insiders can establish persistent data pipelines that continue operating even after a password reset or session revocation.

A flow that copies all new email attachments to an external service, sends a daily digest of calendar events outside the organisation, or exports SharePoint document changes to a third-party webhook is a data exfiltration tool that runs without any further user interaction.

What happens if this is abused

  • Attacker creates a flow from a compromised account that continuously forwards email attachments to an external email address, establishing a persistent exfiltration channel that survives password resets
  • Flow created to export OneDrive or SharePoint file changes to external cloud storage, programmatically exfiltrating documents as they are created or modified
  • Admin or high-privilege account used to create a flow that automatically exports messages from specific mailboxes, Teams channels, or shared mailboxes to an attacker-controlled webhook
  • Calendar data, contact lists, or internal meeting notes automatically synced to a personal or attacker-controlled account on a scheduled basis
  • Flow configured with an overnight or weekend schedule to operate outside normal monitoring windows, reducing the chance of detection during active review periods
  • Flow survives password reset and session revocation because it runs as a background application with delegated permissions, not an interactive user session
  • Insider creates a flow that quietly extracts business data on a recurring schedule before departing, using their legitimate permissions to avoid DLP alerts

When this is expected or acceptable

Power Automate is widely used for legitimate business purposes — approvals, notifications, data synchronisation, and process automation. The detection of a new flow does not indicate a problem on its own.

What warrants investigation is the destination, the data being processed, and the account that created the flow. A flow created by an admin to automate an approval process is different from a flow created outside business hours by a user with no automation history, connecting to a personal email address or external webhook.

Checks to perform before taking action

Before responding to a Power Automate flow alert:

  • Identify who created the flow and whether automation activity is consistent with their role
  • Review what the flow does — what triggers it, what data it accesses, and where it sends output
  • Check whether the flow connects to any external services or destinations outside the organisation
  • Review the account for other indicators of compromise — sign-in anomalies, forwarding rules, or unusual file access
  • Confirm with the user or their manager whether the flow was intentionally created for a business purpose
  • Check whether the flow has been run since creation and what output it has produced

Safe remediation steps

  1. Use Overe to review new Power Automate flows created across the tenant, prioritising flows with external connectors
  2. For flows created by potentially compromised accounts, disable the flow immediately and investigate the account
  3. For flows with external destinations, confirm with the account owner that the destination is legitimate and approved
  4. Review organisational Power Automate data loss prevention policies to restrict high-risk connector types
  5. For confirmed malicious flows, delete them and assess what data was transferred
  6. Overe can automatically revoke sessions when a Power Automate Flow Created alert fires — configure auto-response in Org Config > Auto-Response

How Overe Helps

Overe actively monitors and remediates this risk area. The following controls can be deployed and tracked in app.overe.io:

  • Enable Unified Log — Manages the Audit Log which records user and admin activity and is required for Overe to monitor and detect anomalous activity.
  • Disable user oAuth app consent for users — Controls user consent to applications by disabling the possibility of users granting consent to apps.
  • Enable admin approval policy for app consent requests — Oversees the admin consent workflow to allow users to request access to applications that require admin consent.

Supporting documentation

Microsoft: Power Automate data loss prevention policies - https://learn.microsoft.com/en-us/power-platform/admin/wp-data-loss-prevention

Microsoft: Administer Power Automate in your organisation - https://learn.microsoft.com/en-us/power-automate/organization-q-and-a

Microsoft: Monitor flows in your organisation - https://learn.microsoft.com/en-us/power-automate/monitor-manage-processes

Related risks and follow-on checks

After investigating a Power Automate flow creation alert, review these related risk areas:

  • Apps with Risky Permissions — Power Automate connectors acquire OAuth permissions; review what permissions the connectors used by the flow hold, particularly for Mail, Files, and Directory connectors
  • Files Shared Externally — flows are commonly used to programmatically share files to external destinations; check for external sharing events from the same account around the time the flow was created
  • Suspicious Inbox Rules — email-monitoring flows and inbox rules achieve similar outcomes; a compromised account may use one or both; check for inbox rules in the same mailbox
  • Risky Inbox Forwarding Rules — flows that trigger on incoming email and forward it externally achieve the same outcome as Exchange forwarding rules, often without appearing in Exchange reports
  • Dormant Apps — flows that are no longer actively used but still hold OAuth tokens and connector authorisations represent a dormant risk similar to unused registered applications
  • External Email Forwarding Rules — check whether the account also has mailbox-level SMTP forwarding configured, as these are often created alongside automation-based exfiltration
Free Microsoft 365 assessment

Check this risk in your own tenant

This recommendation explains what should be configured. Overe shows you where the gaps actually exist.

Find risky users, devices, apps, policies and tenant settings in minutes.

No agents. No heavy setup. Clear results in minutes.