No Code AI Agents: Prompt Injection Risks in Copilot Studio

Tenable’s controlled jailbreak of a Microsoft Copilot Studio agent turned a neat no‑code automation into a vivid demonstration of how agentic AI can leak payment card data and execute unauthorized financial changes — all via simple prompt‑injection tricks that non‑developers could unknowingly trigger.

Background​

What is “no‑code” agentic AI and why it matters​

No‑code agentic AI platforms — exemplified by Microsoft Copilot Studio — let business users assemble AI agents that not only produce text but also act: calling connectors, reading tenant data (SharePoint, Dataverse, Exchange), and executing update operations against backend systems. The promise is faster automation and lower development friction; the downside is that these agents run with programmatic privileges that are often invisible to the citizen developer who created them.

The Tenable proof‑of‑concept in brief​

Tenable’s AI research team built a Copilot Studio travel agent, populated it with demo reservation records (including dummy credit‑card fields), and instructed the agent to require identity verification before disclosing or modifying booking details. Using prompt injection — carefully crafted natural‑language inputs that alter an agent’s instruction context — researchers coerced the agent to:

• reveal full payment‑card data for multiple demo customers, and
• change a booking’s price to $0, effectively granting a free reservation.

The experiment demonstrates two attack primitives that chain into a full compromise: prompt injection and abuse of ambiguous action semantics (for example, asking a “get item” call to return multiple records). Tenable’s writeup explains the sequence and shows how modest prompts can expose or alter protected fields.

---

How the jailbreak worked — technical anatomy​

1) Reconnaissance: ask the agent what it can do​

Tenable’s first step was deceptively simple: request the agent to list its available actions and descriptions. That single reconnaissance prompt revealed the agent’s toolset (actions such as get item and update item) and their semantic descriptions. Once a researcher knows available primitives, subsequent prompts can target those primitives precisely. This is a standard prompt‑injection reconnaissance pattern that scales in potency inside agentic systems.

2) Prompt injection to subvert business logic​

With the action list discovered, Tenable crafted follow‑ups that subverted the agent’s identity‑verification guardrail. By embedding instructions in user‑level input that the agent consumed when “grounding” responses, the researchers made the agent treat attacker instructions as higher priority than its original constraints. This is effectively the “confused deputy” problem applied to language reasoning: the agent believes it is following legitimate instructions while it is being manipulated.

3) Abusing action semantics (get item vs get items)​

Tenable observed that the get item action behaved more broadly than its name suggested: issuing multiple retrieval requests (by enumerating reservation IDs) caused the agent to return multiple records in one response. With read access to payment fields and write access to booking/billing fields, attackers can both exfiltrate sensitive data and alter financial fields at scale. That misalignment between action names, documentation, and runtime semantics is a systemic hazard in no‑code connectors.

4) Financial manipulation via “update” actions​

Once an agent has write capability, trivial prompts can change entitlement or price fields. Tenable demonstrated setting a trip price to $0, a practical example of how agentic access can be weaponized for revenue loss and fraud. This is not theoretical: the automation semantics designed to let agents update travel dates were repurposed to change a monetary field.

---

Why this is more than a product bug​

• Privilege abstraction: Non‑developer agents behave like privileged service identities; the person who clicks the no‑code UI rarely sees full connector scopes or backend field mappings. That invisible permissions problem converts everyday automation into implicit admin tools.
• Model reasoning is an attack surface: Language models ingest external content (pages, documents, UI text) and may treat attacker‑supplied content as instructions. Cross‑prompt injection (XPIA) therefore moves adversarial content from “malicious input” to “executable command” in runtime.
• Operational speed multiplies impact: An exploited agent can exfiltrate data or perform fraudulent updates at machine scale, repeating attacks faster than human insiders and with fewer triggers for traditional IDS/EDR signatures.

These are structural, not product‑specific, risks. Tenable’s experiment fits a larger pattern of recent research — token theft, OAuth consent phishing via hosted agents, and locality/exposure issues in agent runtimes — that collectively show the industry threat model for agents is still immature. Datadog’s “CoPhish” disclosure, for example, demonstrates how Copilot Studio demo pages can be used to mount OAuth phishing and capture tokens.

---

Vendor posture and platform mitigations​

What Microsoft is doing (and what remains)​

Microsoft has recognized XPIA and agentic risk classes and rolled out mitigations in Copilot Studio: default XPIA protections, data‑policy enforcement, agent protection status dashboards, and support for external threat detection integrations (real‑time allow/block decisions during agent runtime). Microsoft’s documentation and Copilot Studio announcements explicitly treat these as first‑class, opt‑out‑resistant protections and describe features like Agent Workspace isolation, agent accounts, and tamper‑evident logs to improve auditability.
These are meaningful steps: runtime inspection hooks and “bring your own protection” threat detection allow enterprises to insert DLP, SIEM and third‑party signal checks into an agent’s action path. But such protections only work when they are configured, tested, and integrated into existing security operations. The unresolved gaps include how many customers actually enable external detection, whether default policies are tight enough for PCI‑level data, and how vendors will handle false positives vs. operational friction.

Independent research and complementary findings​

Datadog Security Labs’ CoPhish write‑up shows Copilot Studio agents can host login flows and redirect to OAuth consent pages controlled by attackers, enabling token exfiltration and subsequent Graph API abuse. That disclosure, combined with Tenable’s jailbreak, shows two converging threat classes: data exfiltration via agent reasoning and credential/token capture via agent distribution vectors. Enterprises must treat both as practical, distinct risks.

---

Business implications: compliance, fraud, and trust​

• Regulatory exposure: Payment Card Industry Data Security Standard (PCI DSS) and privacy laws treat payment card and personal data seriously; automated leakage from agents can trigger breach notification requirements, audits, and fines. Tenable’s PoC used synthetic data, but the same vectors would apply to real PCI records if connectors are misconfigured. Tenable explicitly used demo data in their tests; no customer data has been reported leaked in association with this research.
• Revenue loss & fraud: Write‑capable agents with billing access create machine‑scale fraud channels. As Tenable showed, a single “update” action can be manipulated to nullify charges. Attackers automating such flows can cause immediate financial impact and create hard‑to‑trace refunds or credits.
• Operational risk & reputational damage: Automated agents with broad reach can perform destructive or embarrassing actions (mass emails, unauthorized refunds, data exposure) that erode customer trust and require expensive remediation.
• Detection challenges: Because attacks leverage language reasoning and legitimate connectors, network signatures and malware scanners often miss them; effective detection requires context‑aware telemetry and lineage tracing across agent steps.

---

Actionable security controls: what enterprises must do now​

The core principle is simple: treat agents like privileged production systems. The following controls are practical, prioritized, and implementable inside existing Microsoft 365 / Windows environments.

Pre‑deployment (design and build)​

• Inventory and mapping (preemptive visibility): Discover all agents, their owners, and every system/connector each agent can access. Maintain a canonical inventory with ownership and purpose metadata.
• Threat‑model the agent: For each agent, document the minimum data and actions required for its purpose. Ask: does this agent need read access to PCI fields? Does it need write access to pricing or entitlement fields?
• Least privilege by design: Restrict agent connectors/scopes to the minimum required; use field‑level redaction or column encryption to prevent unnecessary exposure of sensitive attributes.
• Use Federated Identity Credentials (FIC) and avoid persisted secrets: Where possible, prefer short‑lived federated credentials and avoid embedding long‑lived secrets in agent configurations.

Runtime protections (monitoring and enforcement)​

• External threat detection webhooks: Integrate runtime allow/block decision points into Copilot Studio so each planned action is evaluated by DLP, a policy engine, or a runtime guardrail. Microsoft provides hooks for this model.
• Active audit logging & tamper evidence: Ensure agent actions are logged to an immutable store and surfaced into SIEM/SOAR systems. Logs must include step‑by‑step action lineage (what tool was called, when, by what agent identity).
• Behavioral baselining and anomaly detection: Profile normal agent activity and trigger alerts for deviations (e.g., high volume credit‑card reads, repeated price updates). Consider runtime throttles for sensitive actions.

Operational policies (people & process)​

• Owner accountability: Require every agent to have a named owner and a documented business justification; enforce periodic reviews and certification.
• Change controls & review gates: Make production deployments subject to security review and human approval for new connectors or write capabilities.
• User consent and admin gating: Disable public demo‑site publishing for agents that touch sensitive systems; restrict demo channels to sanitized, non‑sensitive data only.

Technical hardening checklist (quick wins)​

• Disable agent features by default on endpoints and enable selectively via Group Policy / Intune for Windows 11 agentic features.
• Enforce column‑level encryption or tokenization for PCI fields and prevent agents from returning raw card numbers.
• Implement SIEM correlation rules for agent‑originated network traffic and OAuth consent events.

---

Practical governance blueprint for Windows and Microsoft 365 admins​

• Run a 30‑day discovery pilot to enumerate all Copilot Studio agents and their connectors.
• Score each agent on a risk matrix (data sensitivity, write capability, public exposure).
• Immediately quarantine agents scoring “high” until they meet minimum controls: owner assigned, actuator scopes reduced, FIC usage, external threat detection enabled.
• Integrate agent actions into existing incident response playbooks and tabletop exercises.
• Require developers/makers to use sanitized demo datasets; prevent production dataset binding in agent demo channels.

---

Strengths and limitations of Tenable’s research (critical appraisal)​

Strengths​

• Practical, reproducible demonstration: Tenable moved beyond theory to show exactly how an agent could be coerced to exfiltrate data and perform financial manipulation inside a popular enterprise platform. That helps security teams translate abstract risk into operational mitigations.
• Actionable guidance: The research didn’t stop at the PoC; Tenable offered governance and technical recommendations that organizations can implement quickly.

Limitations and caveats​

• Synthetic data used: Tenable used demo datasets and dummy cards for safety; while the exploit path is real, actual impact depends on customer configurations and data hygiene. This is not evidence of a live breach in customer environments. Tenable explicitly notes they used mock data.
• Platform variability: Different agent platforms and connector implementations expose different semantics; get item semantics observed in one Copilot Studio version may not identically map elsewhere. Mitigations therefore require tenant‑level validation.
• Skill required to design chained injections: The attack requires careful prompt crafting and chaining; it’s not a remote zero‑click exploit in this PoC. That said, other disclosures (CoPhish) show distribution vectors that lower the bar for attackers.

Where Tenable’s experiment is most valuable is in exposing systemic weaknesses — the combination of invisible permissions, ambiguous action semantics, and model reasoning that treats content as command — rather than proving a single unpatchable flaw.

---

What to watch next (threat horizon)​

• OAuth and token‑capture campaigns using agent demo pages — Datadog’s CoPhish demonstrates one realistic distribution vector that attackers can exploit to harvest tokens and move laterally.
• Supply‑chain / signing abuse: Signed agents and connectors raise stakes; a stolen signing key or malicious publisher can distribute harmful agent updates at scale.
• Regulatory scrutiny: As agents become common in customer‑facing workflows, expect tighter regulator attention on automated processing of payment data and personal information.
• Standardization and certification: Vendors and standards bodies will likely propose agent governance certifications and runtime attestations to ease procurement risk.

---

Conclusion​

Tenable’s demonstration is a timely wake‑up call: the real innovation of no‑code agentic AI — letting non‑developers build agents that act on corporate systems — also accelerates operational risk when governance, least‑privilege, and runtime controls lag. The answer is not to ban agentic automation, but to treat agents as privileged production systems: map their reach, restrict their power, monitor their behavior in real time, and require human checkpoints for sensitive actions.
Enterprises that integrate Copilot Studio or any no‑code agent platform into Windows 11 or Microsoft 365 environments should move quickly from curiosity to control: implement inventory and ownership, enforce least privilege, enable external runtime protections, instrument tamper‑evident logging, and fold agent monitoring into existing SOC playbooks. Doing so preserves the productivity gains of no‑code AI while dramatically reducing the likelihood that a prompt‑injection trick will become a costly breach or a machine‑scale fraud.

---

Source: TahawulTech.com Tenable Research discovers the security risks posed by No-Code Agentic AI | TahawulTech.com