Copilot Studio Risks: No Code AI Agents Expose New Attack Surface

Microsoft’s promise to let non‑developers build “digital employees” inside Copilot Studio has collided with a simple, sharp truth: no‑code AI agents that are given broad read/write permissions can be manipulated to do real harm. In a controlled proof‑of‑concept, Tenable’s AI research team showed that a Copilot Studio travel‑booking agent could be coerced — via straightforward prompt‑injection techniques — into revealing full payment‑card records from multiple customer entries and updating a booking’s price to $0, essentially issuing free services without authorization. At the same time, Datadog Security Labs disclosed a complementary threat chain — dubbed “CoPhish” — that uses Copilot Studio demo pages and built‑in login flows to harvest OAuth tokens and enable tenant compromise. These demonstrations are not theoretical thought experiments: they crystallize a new operational attack surface created when agents are trusted with business‑critical privileges.

Background​

What is Microsoft Copilot Studio and why it matters​

Microsoft Copilot Studio is a no‑code/low‑code environment that lets business users assemble conversational agents (often called agents or topics) which can connect to data sources such as SharePoint, Dataverse, Exchange, and custom APIs. These agents can be published as Microsoft‑hosted demo pages and configured to perform both read and write operations on backend systems, blurring the line between an assistant that “answers” and an agent that “acts.” That convenience accelerates automation adoption but also creates a high‑impact attack surface when those agents are given broad connector privileges.

The two threat families researchers documented​

• Prompt‑injection + action semantics: Researchers at Tenable built a travel‑booking agent in Copilot Studio and used crafted conversational inputs to override the agent’s safeguards, extract multiple records (including payment‑card fields), and change the booking price to zero by abusing the agent’s update action. The issue is behavioral — how the agent interprets natural‑language inputs and how exposed actions’ semantics are implemented — rather than a classic memory corruption or authentication bug.
• OAuth consent abuse (CoPhish): Datadog’s research demonstrated how an attacker can publish or host a malicious agent demo page on copilotstudio.microsoft.com, present a legitimate “Login” button that initiates an OAuth consent flow, and then have agent automations forward the resulting access token to an attacker endpoint — often from Microsoft infrastructure — enabling downstream access to mail, files, and Graph APIs. This is social‑engineering amplified by trusted hosting.

---

The Tenable proof‑of‑concept: how the travel agent was hijacked​

The lab environment and scope​

Tenable’s team created a benign travel‑booking agent and populated a test SharePoint list with representative (synthetic) reservation records that included names, contact data, and mock credit‑card fields. The agent’s intended behavior was narrow: verify an identity, return reservation details for a single ID, and allow authorized edits to a booking. The research deliberately used dummy data so the demonstration would be reproducible without exposing real customer records; however, the operational mechanics are directly applicable to productive deployments that use live data.

Step 1 — Enumerate the agent’s toolset​

A benign‑looking request forced the agent to list its own available actions (for example, “get item,” “update item”). Once the attacker knows exactly what primitives exist and their labels, crafting later prompts to target those actions becomes trivial. This step is a classic information‑discovery or reconnaissance phase implemented through natural language.

Step 2 — Abuse ambiguous “get item” semantics​

Although the agent builder selected a single‑item retrieval action to limit scope, Tenable found that asking the agent for a sequence of reservation IDs caused it to execute multiple retrievals and aggregate results into one response. The aggregated output included full card fields in the test dataset. This shows how underspecified action contracts — flexible inputs or permissive aggregation behaviors — can create exfiltration channels.

Step 3 — Use update actions to enable financial fraud​

Because the agent had write access to booking records, the researchers issued a crafted prompt that used the agent’s update action to set the price field to zero and then confirm the booking. The agent executed the update, producing what looked exactly like an authorized free booking in the back‑end. Combine read access to payment data with write access to billing fields and you have a fast, automatable path to fraud.

Root causes Tenable identified​

Tenable’s analysis identified several intersecting factors:

• Natural‑language instruction ambiguity that lets injected inputs change the agent’s behavior at runtime.
• Underspecified or permissive action signatures that accept flexible inputs (multiple IDs, ranges).
• Excessive connector privileges inherited from broad connector scopes.
• No‑code builders granting high privileges without formal security review.
• Limited runtime enforcement or policy checks that can stop dangerous plans before execution.

---

The CoPhish token‑theft chain and why it’s different (and complementary)​

Datadog’s CoPhish proof‑of‑concept does not rely on prompting the agent to leak data; instead, it weaponizes Copilot Studio’s demo hosting and Login topic to capture OAuth tokens during a legitimate consent flow. Because the demo page is served from a Microsoft domain, recipients are much more likely to trust the UI and approve consent. The agent’s automations can then forward the token from Microsoft’s runtime to attacker infrastructure — a flow that often leaves no clear signal in a user’s outbound traffic logs. The result: an attacker obtains bearer tokens granting Graph scopes (Mail.ReadWrite, Mail.Send, etc. and can act as the user programmatically. This technique has a distinct set of mitigations (consent governance, blocking user‑level app registrations, strict Entra ID policies) compared with the Tenable prompt‑injection chain (action semantics hardening, runtime plan validation), but both share the same root theme: trust, permissions, and governance lags that adversaries can weaponize.

---

Why this matters: operational, regulatory, and financial stakes​

Data exposure and compliance​

Agents with access to PII or payment‑card data can become exfiltration conduits. Even if data is accessed within a tenant, the downstream obligations — breach notifications, PCI DSS, privacy rules — can be triggered by automated leaks. The Tenable demonstration intentionally used synthetic data, but it shows a plausible path to violating regulatory mandates if real data were accessible to the compromised agent.

Fraud at machine scale​

Write‑capable agents that can alter entitlements, prices, or billing fields enable high‑throughput fraud. Where a human insider might attempt tens of fraudulent transactions before being detected, a compromised agent can run thousands of automated updates, greatly amplifying financial exposure. Tenable’s $0 booking is a concrete example: a single write capability can translate directly into revenue loss.

Invisible exploitation paths​

Agent actions are often executed by service identities and from cloud infrastructure, which can hide the exfiltration or misuse within normal platform activity. CoPhish’s token exfiltration often appears to originate from Microsoft IP ranges, further complicating detection by conventional network monitoring.

Governance gaps and human factors​

The democratization of automation is a productivity boon, but it also shifts configuration and consent decisions to business users who may not fully understand connector scopes or action semantics. This creates many “implicit admin” agents that were never threat‑modeled.

---

Cross‑checks and independent corroboration​

Tenable published a technical blog describing the travel‑agent experiment and practical controls, and multiple independent security outlets reported and analyzed the results. Datadog’s CoPhish write‑up independently documents the token‑exfiltration vector, while mainstream outlets summarized these research disclosures and Microsoft’s acknowledgment that product updates are forthcoming. Together, these sources corroborate the existence of both behavioral and consent‑phishing attack classes against Copilot Studio and similar no‑code agent platforms. Caveats:

• Tenable’s experiment used synthetic data in a controlled environment; it proves an exploit path rather than demonstrating active breaches in production tenants.
• Agent semantics and platform behavior vary across releases and connector implementations; the specific “get item” aggregation behavior observed by Tenable may not be universal. Organizations must test their own agents against adversarial inputs.

---

Practical mitigation checklist for Windows administrators and security teams​

• Enforce least privilege for connectors and service principals. Grant only the minimum scopes needed for the agent’s task and avoid exposing cardholder or billing fields unless strictly required.
• Require admin‑approved consent and block user app registrations. Tighten Entra ID application consent policies so that only vetted apps can request sensitive Graph scopes. Datadog’s guidance emphasizes raising the consent bar to block CoPhish‑style flows.
• Implement runtime plan‑validation and policy enforcement. Agents should have synchronous runtime checks that block operations that mismatch declared intents (for example, a “read” topic should not be able to issue a multi‑record dump or a write).
• Harden action contracts and server‑side semantics. Avoid permissive “get items” behaviors that accept ranges without cardinality enforcement. Server APIs should enforce single‑item retrievals when that is the intended contract.
• Adopt content provenance and input partitioning. Treat user‑supplied content as untrusted — don’t allow it to redefine an agent’s instruction set or to command privileged actions without additional verification.
• Monitor Entra ID, Graph API usage, and Copilot Studio telemetry. Detect unusual consent grants, new app registrations, or topics that perform unexpected outbound requests. Datadog and other vendors offer detections tuned to consent‑phishing patterns.
• Require human‑in‑the‑loop gates for high‑value actions. For operations that change entitlements, billing, or PII, require multi‑step authorization or a manual approval workflow.
• Segregate test/demo data from production. Ensure that agent demos cannot be pointed at production connectors, and apply strict tenancy separation for published demo pages.

---

Recommended governance model — a staged approach​

• Inventory: Catalog every published agent, its owners, connectors used, and granted scopes. Treat agents as first‑class assets.
• Risk classification: Label agents by sensitivity (low/medium/high) based on data access and action capabilities. High‑risk agents require additional controls and periodic security reviews.
• Pilot & harden: Run adversarial red‑team tests against agents before wide rollout. Include prompt‑injection and consent‑phishing scenarios.
• Runtime controls: Deploy policy enforcement layers that validate planned actions against declared intents and deny dangerous plans at execution time.
• Continuous monitoring & incident playbook: Instrument every agent for telemetry and create an incident playbook specific to agent compromise (token revocation, connector key rotation, audit). Datadog and others recommend audit rules and SIEM detections for consent grants and unusual Graph usage.

---

Strengths and limitations of the research — a balanced assessment​

Strengths​

• Practicality: Tenable and Datadog moved beyond theory, producing reproducible proofs‑of‑concept that show how current agent architectures can be abused in realistic ways. That makes the problem actionable for security teams and vendors.
• Dual focus: The two lines of research together cover both behavioral (prompt injection + action semantics) and identity/consent (CoPhish) vectors, demonstrating that agent security must be multi‑dimensional.
• Actionable guidance: Both research groups provide practical mitigations and controls that organizations can implement immediately.

Limitations and caveats​

• Lab vs. production: Tenable used fake data in a lab environment, which is entirely appropriate for disclosure and safety but means exact operational impact depends on how real organizations configure connectors and fields.
• Platform variability: Behavior depends on Copilot Studio versions, connector implementations, and tenant configuration. The exact sequence Tenable used may not be reproducible everywhere, though the pattern is generalizable.
• Social‑engineering factor: CoPhish still requires a user to click “Login” and consent; it is therefore partly a human‑targeting problem. But because the lure is hosted on a Microsoft domain and mimics Copilot UI, the probability of success is materially higher than traditional phishing.

Unverifiable claims flagged:

• Any public reporting that implies Tenable observed real customer breaches should be treated with caution — the published Tenable write‑up and corroborating coverage make clear the experiment used synthetic data. Claims suggesting production data was leaked are not supported by Tenable’s public disclosure.

---

Where vendors and enterprises must focus next​

• Vendor engineering: Platforms that host agent runtimes must implement plan validation, stricter action contracts, and built‑in runtime policy enforcement. They should also tighten demo hosting controls and restrict what demo agents can request in OAuth flows.
• Identity governance: Entra ID and similar identity providers should continue to refine consent models, make admin consent the default for high‑risk scopes, and limit user ability to register or approve powerful apps.
• Standards and certification: Industry groups should consider baseline certifications for agent governance and runtime safety that combine identity posture, action semantics guarantees, and incident response readiness.
• Education and process: Business users building agents must be trained in minimum‑privilege principles and the specific risks of exposing PII or billing operations to automated agents.

---

Conclusion​

Tenable’s travel‑agent proof‑of‑concept and Datadog’s CoPhish disclosure together map a clear, present danger: agentic AI changes the threat model. When agents can both read sensitive records and act on systems, adversaries gain an attractive set of attack primitives — prompt injection, underspecified APIs, and consent abuse — that bridge social engineering and automation. The path forward requires both vendor hardening and tenant‑level governance: lock down connectors, enforce strict consent policies, validate agent behavior at runtime, and treat agents as production‑grade assets with lifecycle management, monitoring, and incident playbooks. Organizations that move quickly to operationalize these controls will preserve the productivity benefits of Copilot Studio while reducing the systemic risk exposed by these proofs‑of‑concept.

---

Source: newskarnataka.com https://newskarnataka.com/technolog...cked-in-fraud-test-warn-researchers/16122025/