Adversaries may be using Copilot Studio AI agents to exfiltrate data by sending emails with dynamically generated content, leveraging the Outlook connector to bypass traditional email security controls. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential data exfiltration attempts masked by AI-driven automation.
KQL Query
AIAgentsInfo
| where RegistrySource != "A365"
| summarize arg_max(Timestamp, *) by AIAgentId
| where AgentStatus != "Deleted"
| where IsGenerativeOrchestrationEnabled
| mvexpand Action = AgentToolsDetails
| extend OperationId = tostring(Action.action.operationId), ActionName = tostring(Action.modelDisplayName), Action
| where OperationId == "SendEmailV2"
| where isempty(Action.inputs)
| project-reorder AgentCreationTime ,AIAgentId, AIAgentName, AgentStatus, CreatorAccountUpn, OwnerAccountUpns, ActionName
id: 9e4f8a1b-2c3d-4e5f-6a7b-8c9d0e1f2a3b
name: Copilot Studio AI Agents - Sending email to AI controlled input values
description: |
This query identifies Copilot Studio AI agents using generative orchestration to send emails
via the Outlook connector where all action input values are populated dynamically by the orchestrator.
This configuration is risky because if an attacker successfully performs a prompt injection (XPIA) attack,
the agent could be manipulated to exfiltrate sensitive data to arbitrary recipients.
Recommended Action: Confirm with the agent owner whether this behavior is required and understand the business justification.
If feasible, hard-code the recipient address in the email action or apply strict validation to limit misuse.
requiredDataConnectors: []
tactics:
- Exfiltration
- Impact
relevantTechniques:
- T1041
- T1565
query: |
AIAgentsInfo
| where RegistrySource != "A365"
| summarize arg_max(Timestamp, *) by AIAgentId
| where AgentStatus != "Deleted"
| where IsGenerativeOrchestrationEnabled
| mvexpand Action = AgentToolsDetails
| extend OperationId = tostring(Action.action.operationId), ActionName = tostring(Action.modelDisplayName), Action
| where OperationId == "SendEmailV2"
| where isempty(Action.inputs)
| project-reorder AgentCreationTime ,AIAgentId, AIAgentName, AgentStatus, CreatorAccountUpn, OwnerAccountUpns, ActionName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: CreatorAccountUpn
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: AIAgentName
version: 1.0.0Scenario: Scheduled Job for Automated Reporting
Description: A scheduled job runs daily to generate a report using Copilot Studio, which then sends an email via the Outlook connector to notify stakeholders. The email content and recipient are dynamically populated by the orchestrator.
Filter/Exclusion: Exclude emails sent from scheduled jobs by checking the JobName or ScheduleID field in the event logs.
Scenario: Admin Task for User Onboarding
Description: An admin task is configured to automate the onboarding of new users, which includes sending a welcome email via Outlook using Copilot Studio. The email content and recipient are dynamically filled based on user data.
Filter/Exclusion: Exclude emails sent by admin tasks by checking the CreatedBy or TaskType field to identify system-initiated actions.
Scenario: Integration with CRM for Lead Follow-Up
Description: A Copilot Studio flow is integrated with a CRM system to automatically send follow-up emails to leads. The email content, subject, and recipient are dynamically populated by the CRM integration.
Filter/Exclusion: Exclude emails sent via CRM integrations by checking the IntegrationName or SourceSystem field in the event data.
Scenario: Data Pipeline Notification
Description: A data pipeline uses Copilot Studio to monitor data processing status and sends email notifications via Outlook to the DevOps team. All email fields are dynamically populated by the pipeline orchestration.
Filter/Exclusion: Exclude emails sent by data pipelines by checking the PipelineName or EventSource field to identify automated pipeline events.
Scenario: User-Driven Workflow with Dynamic Inputs
Description: A user initiates a workflow in Copilot Studio that sends an email to a dynamic recipient based on user input. The email content is generated dynamically by the orchestrator.
*Filter/