Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1054: Analytic 1054

Monitor for creation of new Power Automate flows or equivalent automation scripts that trigger on user or file events. Detect anomalous actions performed by these automations, such as email forwarding, anonymous link creation, or unexpected API calls to external endpoints.

EnterpriseAN1054AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because office-suite automation can turn routine collaboration events into persistent business-risk actions. New Power Automate flows or similar automations that react to user or file events may be legitimate, but they can also create hard-to-notice pathways for email forwarding, anonymous sharing links, or outbound API activity. Leaders should treat this as an identity, SaaS governance, and SOC visibility question: who can create automations, what they are allowed to do, and whether the organization can see suspicious automation-driven behavior quickly.

Executive priority

Prioritize validation of office-suite automation governance and monitoring where sensitive email, files, or collaboration workflows support business operations. The key decision is whether automation privileges and logging are sufficient to prove control during an incident or audit. This is especially relevant for compliance evidence, data exposure risk, and incident response readiness because automation may perform actions under trusted user or service context.

Technical view

For Office Suite environments, SOC and detection teams should confirm visibility into creation of new Power Automate flows or equivalent automation scripts, especially those triggered by user or file events. Review whether telemetry can connect the automation object, creator, trigger, target resource, and subsequent actions such as email forwarding, anonymous link creation, or unexpected external API calls. Because ATT&CK does not provide a separate detection implementation for this analytic, local baselining is required to distinguish approved business workflows from anomalous or risky automation.

Likely telemetry

  • Office suite audit logs for automation or flow creation
  • Power Automate or equivalent automation platform activity logs
  • User identity and authentication logs tied to automation creation and execution
  • Email forwarding configuration and message-handling audit events
  • File sharing and anonymous link creation audit events

Detection direction

  • Alert or hunt for newly created automations that trigger on user or file events and immediately perform sensitive actions.
  • Correlate automation creation with subsequent email forwarding, anonymous link generation, or external API calls.
  • Baseline expected automation creators, connectors, destinations, and business processes to reduce false positives from approved workflows.
  • Validate whether logs identify both the creator and the executing automation context; missing linkage is a major blind spot.
  • Review external endpoints and connectors used by automations for novelty, rarity, or policy violations.

Mitigation priorities

  • Inventory who can create office-suite automations and which connectors or actions they can use.
  • Restrict high-risk automation capabilities such as anonymous sharing, forwarding, or external API calls where business need is not established.
  • Require governance review for automations that touch sensitive mailboxes, files, or external destinations.
  • Ensure audit logging is enabled and retained for automation creation, execution, sharing, and policy changes.
  • Include office-suite automation artifacts in incident response collection and compliance evidence procedures.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic for Office Suite platforms focused on monitoring creation and behavior of Power Automate flows or equivalent automation scripts. No tactic, technique relationship, procedure example, or official detection logic was supplied, so the take emphasizes validation questions, telemetry requirements, and conservative control priorities rather than asserting specific adversary behavior.

This assessment is limited to the official STIX fields, external reference, and absence of relationship context provided. It does not establish active exploitation, attribution, prevalence, or guaranteed detection coverage. Local platform configuration, licensing, audit retention, connector usage, and business-approved automation patterns are required to operationalize the analytic.

Official MITRE ATT&CK definition

Analytic 1054

Monitor for creation of new Power Automate flows or equivalent automation scripts that trigger on user or file events. Detect anomalous actions performed by these automations, such as email forwarding, anonymous link creation, or unexpected API calls to external endpoints.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
3852e53f4087793e...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 3852e53f4087…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1054
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use