Adversaries may use Copilot Studio AI agents to exfiltrate sensitive data via unencrypted HTTP requests to non-HTTPS endpoints, leveraging the misconfigured communication channels to bypass network monitoring. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data exfiltration attempts and mitigate the risk of information leakage.
KQL Query
AIAgentsInfo
| where RegistrySource != "A365"
| summarize arg_max(Timestamp, *) by AIAgentId
| where AgentStatus != "Deleted"
| mvexpand Topic = AgentTopicsDetails
| where Topic has "HttpRequestAction"
| extend TopicActions = Topic.beginDialog.actions
| mvexpand action = TopicActions
| where action['$kind'] == "HttpRequestAction"
| extend Url = tostring(action.url.literalValue)
| extend ParsedUrl = parse_url(Url)
| extend Scheme = tostring(ParsedUrl["Scheme"])
| where isnotempty(Scheme) and Scheme != "https"
| project-reorder AgentCreationTime, AIAgentId, AIAgentName, ParsedUrl, Url, AgentStatus, CreatorAccountUpn, OwnerAccountUpns, Topic
id: 7a2b6c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d
name: Copilot Studio AI Agents - HTTP Requests to Non-HTTPS Endpoints
description: |
This query identifies Copilot Studio AI agents that send HTTP requests to endpoints using non-HTTPS schemes.
Communication over unencrypted HTTP exposes sensitive data in transit and increases the risk of interception or tampering.
Attackers could exploit this to capture credentials, session tokens, or other confidential information, leading to data breaches or unauthorized access.
Recommended Action: Review these agents and update all HTTP actions to use HTTPS endpoints.
If non-secure communication is absolutely required for a specific business case, document the justification and apply compensating controls such as network-level encryption or IP restrictions.
requiredDataConnectors: []
tactics:
- CommandAndControl
- CredentialAccess
relevantTechniques:
- T1071
- T1040
query: |
AIAgentsInfo
| where RegistrySource != "A365"
| summarize arg_max(Timestamp, *) by AIAgentId
| where AgentStatus != "Deleted"
| mvexpand Topic = AgentTopicsDetails
| where Topic has "HttpRequestAction"
| extend TopicActions = Topic.beginDialog.actions
| mvexpand action = TopicActions
| where action['$kind'] == "HttpRequestAction"
| extend Url = tostring(action.url.literalValue)
| extend ParsedUrl = parse_url(Url)
| extend Scheme = tostring(ParsedUrl["Scheme"])
| where isnotempty(Scheme) and Scheme != "https"
| project-reorder AgentCreationTime, AIAgentId, AIAgentName, ParsedUrl, Url, AgentStatus, CreatorAccountUpn, OwnerAccountUpns, Topic
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: CreatorAccountUpn
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: AIAgentName
- entityType: URL
fieldMappings:
- identifier: Url
columnName: Url
version: 1.0.0Scenario: Admin performs a diagnostic check using Microsoft Graph API via HTTP for troubleshooting
Filter/Exclusion: destination_port != 443 or process.name != "Microsoft Graph API Diagnostic Tool"
Scenario: Scheduled job runs a legacy integration test using HTTP to a non-HTTPS endpoint for compatibility
Filter/Exclusion: process.name contains "LegacyIntegrationTest" or destination_ip in (192.168.1.100, 10.0.0.50)
Scenario: Development team uses Postman to manually test a Copilot Studio agent’s HTTP endpoint during local development
Filter/Exclusion: process.name contains "Postman" or source_ip in (192.168.1.20, 10.0.0.15)
Scenario: System health check script sends HTTP request to internal monitoring endpoint for status updates
Filter/Exclusion: process.name contains "SystemHealthCheck" or destination_host contains "internal-monitoring"
Scenario: CI/CD pipeline runs a build validation step that uses HTTP to communicate with a non-HTTPS artifact server
Filter/Exclusion: process.name contains "CI/CD-ValidateBuild" or destination_host contains "artifact-server.example.com"