"Security researchers warn that Microsoft Copilot Studio Connected Agents can be abused to create stealth backdoors, enabling spoofed emails and hidden actions without clear audit logs."
Why is Copilot Studio Connected Agents suddenly a security concern?
Microsoft Copilot Studio is designed to help teams build and connect AI agents that automate work. One feature called Connected Agents makes this easier by allowing one agent to reuse another agent knowledge tools or topics inside the same environment.
However new research shows this convenience can quietly turn into a serious security risk. When misused Connected Agents can act as a hidden AI backdoor that attackers use without triggering normal logs or alerts.
What exactly are Connected Agents?
Connected Agents let developers chain AI agents together. If Agent A exposes its tools or knowledge Agent B can call them directly. This is useful for modular design but it also expands the attack surface.
The main issue is that this option lives under Generative AI settings and is enabled by default for new agents. Many teams may not even realize they are exposing powerful actions to every other agent in the same environment.
Why default settings matter
- Any agent in the environment can invoke exposed tools
- No extra approval is required
- Developers often assume agents are isolated
How attackers turn Connected Agents into a backdoor
Researchers at Zenity Labs demonstrated that once an attacker gains tenant access the rest is surprisingly easy. A malicious insider or compromised guest account can create a new agent and connect it to a privileged one.
Because Connected Agents apply across the environment the malicious agent can silently trigger sensitive tools owned by the trusted agent. Even worse these cross agent calls often do not appear in the victim agent activity logs.
Invisible activity is the real danger. Security teams cannot respond to what they cannot see.
Proof of concept email impersonation attack
The most alarming example involves support agents that can send emails from official company mailboxes like [email protected].
- The attacker creates a malicious agent
- They connect it to a legitimate support agent
- The malicious agent invokes the email sending tool
The result is high volume emails that look fully legitimate. They originate from trusted domains and infrastructure making them ideal for phishing misinformation or spam campaigns.
| Risk | Impact |
|---|---|
| Email spoofing | High trust phishing and fraud |
| Invisible logging | Delayed or missed detection |
Why this is especially dangerous at scale
If the compromised agent is connected to Power Automate flows or public triggers even unauthenticated internet users could indirectly send emails or run actions. This dramatically widens the attack surface and turns one misconfigured agent into an enterprise wide risk.
What should security teams do right now?
Zenity Labs and other analysts recommend immediate action for any organization using Copilot Studio.
Key security steps
- Audit all production agents and list which have Connected Agents enabled
- Disable Connected Agents for sensitive or high privilege agents
- Require end user authentication for critical tools
- Limit sharing and editor access to trusted users only
Microsoft also provides governance and monitoring tools that should be enabled wherever possible especially for AI agents tied to email CRM ERP or financial systems.
Frequently asked questions
Is this a Microsoft bug?
No. The feature works as designed but the default settings and lack of visibility create security blind spots.
Are all Copilot Studio users affected?
Only tenants using Connected Agents are at risk but the feature is enabled by default for new agents.
Can third party security tools help?
Yes. Platforms like Zenity provide visibility into cross agent behavior that native logs may miss.
