Using Outlook connector a Maker_A can create a PowerApp or Flow to carry out the following malicious actions, simply by sharing an App/Flow with User B. And all this without being detected by the User:

• Malicious App_maker_A can Read User B emails without their knowledge.
• Malicious App_maker_A can Search for a particular type of email in User B mail, such as password reset links and so forth. leading to further security breaches
• Malicious App_maker_A can Send email to Person_C on User_B behalf. This appears in User_B Sent mails. But they will only know if they know this has occurred and check their Send Mail.
• Malicious App_maker_A can Delete a particular email on User_B behalf without their knowledge

https://docs.microsoft.com/en-us/powerapps/maker/canvas-apps/connections/connection-office365-outloo...

Sure tenant admin can run administrative flows to detect the use of such malicious functions, but with thousands of growing Apps and Flows, with their hundreds of versions, how effective can such policing be?

The Power Platform is promoted for all citizens/job roles in an organization. We are encouraging makers and users to be innovative and automate. They trust that the platform is robust enough to not allow such breach of email privacy.

Such adverse possibilities should be prevented inherently in the platform, either by a) by not using the end-user connection but rather the makers.  b) limiting the methods allowed with the Outlook connector; Or any other other better ideas to prevent malicious use. The current possibilities with this connector is very discouraging and needs to be looked at urgently.