Copilot Studio AI Agents - Sending email to external mailboxes

Hunt Hypothesis

Adversaries may configure Copilot Studio AI agents to exfiltrate data by sending emails to external mailboxes, leveraging the environment to maintain persistence or steal sensitive information. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data exfiltration channels and mitigate insider threats.

KQL Query

let OrgDomains = 
  IdentityInfo 
  | extend domains = tostring(split(AccountUpn, "@")[1]) 
  | distinct domains; 
let SendOps = dynamic([ 
  "SendEmailV2",             // Office 365 Outlook 
  "SharedMailboxSendEmailV2",// Office 365 Outlook 
  "| w",                     // Outlook.com 
  "SendEmailV2",             // Gmail 
  "SendEmailV3",             // SMTP 
  "SendEmailV3",             // Mail 
  "SendEmailGAVersion",      // Azure Communication Email 
  "PostAntTextEmail",        // Ant Text Automation 
  "SendEmailV4"              // SendGrid 
]); 
let FromActions = 
  AIAgentsInfo 
  | where RegistrySource != "A365"
  | summarize arg_max(Timestamp, *) by AIAgentId 
  | where AgentStatus != "Deleted" 
  | mv-expand ActionDetail = todynamic(AgentToolsDetails) 
  | where tostring(ActionDetail.action.operationId) in~ (SendOps) 
  | mv-expand ActionInput = ActionDetail.inputs 
  | where tostring(ActionInput.propertyName) == "To" 
  | extend ToAddress = tostring(ActionInput.value.literalValue) 
  | extend Domain = tostring(split(ToAddress, "@")[1]), MailConeector = tostring(ActionDetail.action.operationId), source = "AgentToolsDetails" 
  | where isnotempty(Domain) and Domain !in (OrgDomains) 
  | project-reorder AgentCreationTime, AIAgentId, AIAgentName, AgentStatus, CreatorAccountUpn, OwnerAccountUpns, ToAddress, Domain, source, MailConeector; 
let FromTopics = 
  AIAgentsInfo 
  | summarize arg_max(Timestamp, *) by AIAgentId 
  | where AgentStatus != "Deleted" 
  | mv-expand TopicDetail = todynamic(AgentTopicsDetails) 
  | mv-expand TopicAction = TopicDetail.beginDialog.actions 
  | where tostring(TopicAction.operationId) in~ (SendOps) 
  | extend ToAddress = tostring(coalesce(TopicAction.input.binding.To.literalValue, TopicAction.input.binding['to'].literalValue)) 
  | extend Domain = tostring(split(ToAddress, "@")[1]), MailConeector = tostring(TopicAction.operationId), source = "AgentTopicsDetails" 
  | where isnotempty(Domain) and Domain !in (OrgDomains) 
  | project-reorder AgentCreationTime, AIAgentId, AIAgentName, AgentStatus, CreatorAccountUpn, OwnerAccountUpns, ToAddress, Domain, source, MailConeector; 
FromActions 
| union FromTopics 
| project-reorder AgentCreationTime, AIAgentId, AIAgentName, AgentStatus, CreatorAccountUpn, OwnerAccountUpns

Analytic Rule Definition

id: 0d5e9f1a-2b3c-4d5e-6f7a-8b9c0d1e2f3a
name: Copilot Studio AI Agents - Sending email to external mailboxes
description: |
  This query identifies Copilot Studio AI agents configured to send emails to external mailboxes (outside the organization`s domains). 
  Such configurations can lead to sensitive or internal data being exfiltrated beyond organizational boundaries, creating compliance and security risks. 
  Attackers could exploit this to leak confidential information or use compromised agents as a channel for data exfiltration.
  Recommended Action: Verify with the agent owner whether sending emails externally is necessary for the business scenario. 
  Confirm what data is being sent and ensure the external domain is authorized to receive it. If not required, remove or restrict this capability.
requiredDataConnectors: []
tactics:
  - Exfiltration
relevantTechniques:
  - T1041
query: |
  let OrgDomains = 
    IdentityInfo 
    | extend domains = tostring(split(AccountUpn, "@")[1]) 
    | distinct domains; 
  let SendOps = dynamic([ 
    "SendEmailV2",             // Office 365 Outlook 
    "SharedMailboxSendEmailV2",// Office 365 Outlook 
    "| w",                     // Outlook.com 
    "SendEmailV2",             // Gmail 
    "SendEmailV3",             // SMTP 
    "SendEmailV3",             // Mail 
    "SendEmailGAVersion",      // Azure Communication Email 
    "PostAntTextEmail",        // Ant Text Automation 
    "SendEmailV4"              // SendGrid 
  ]); 
  let FromActions = 
    AIAgentsInfo 
    | where RegistrySource != "A365"
    | summarize arg_max(Timestamp, *) by AIAgentId 
    | where AgentStatus != "Deleted" 
    | mv-expand ActionDetail = todynamic(AgentToolsDetails) 
    | where tostring(ActionDetail.action.operationId) in~ (SendOps) 
    | mv-expand ActionInput = ActionDetail.inputs 
    | where tostring(ActionInput.propertyName) == "To" 
    | extend ToAddress = tostring(ActionInput.value.literalValue) 
    | extend Domain = tostring(split(ToAddress, "@")[1]), MailConeector = tostring(ActionDetail.action.operationId), source = "AgentToolsDetails" 
    | where isnotempty(Domain) and Domain !in (OrgDomains) 
    | project-reorder AgentCreationTime, AIAgentId, AIAgentName, AgentStatus, CreatorAccountUpn, OwnerAccountUpns, ToAddress, Domain, source, MailConeector; 
  let FromTopics = 
    AIAgentsInfo 
    | summarize arg_max(Timestamp, *) by AIAgentId 
    | where AgentStatus != "Deleted" 
    | mv-expand TopicDetail = todynamic(AgentTopicsDetails) 
    | mv-expand TopicAction = TopicDetail.beginDialog.actions 
    | where tostring(TopicAction.operationId) in~ (SendOps) 
    | extend ToAddress = tostring(coalesce(TopicAction.input.binding.To.literalValue, TopicAction.input.binding['to'].literalValue)) 
    | extend Domain = tostring(split(ToAddress, "@")[1]), MailConeector = tostring(TopicAction.operationId), source = "AgentTopicsDetails" 
    | where isnotempty(Domain) and Domain !in (OrgDomains) 
    | project-reorde

Required Data Sources

Sentinel Table	Notes
`IdentityInfo`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Exfiltration
Technique: T1041 — T1041

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/AI Agents/Copilot Studio Connector/AIAgentsEmailExternalMailbox.yaml)

False Positive Guidance

Scenario: Scheduled Job for Report Distribution
Description: A scheduled job runs daily to send a summary report to external stakeholders via email.
Filter/Exclusion: email.to contains "[email protected]" and email.subject contains "Weekly Summary"
Scenario: Admin Task for User Onboarding
Description: An admin manually sends an onboarding email to a new external user using Copilot Studio.
Filter/Exclusion: email.from contains "[email protected]" and email.subject contains "Onboarding Email"
Scenario: Integration with External Support Portal
Description: A Copilot Studio agent is configured to send error logs or support tickets to an external support mailbox.
Filter/Exclusion: email.to contains "[email protected]" and email.body contains "Error Log"
Scenario: Automated Testing of Email Functionality
Description: A test script or CI/CD pipeline sends a test email to an external mailbox to validate email configuration.
Filter/Exclusion: email.subject contains "[Test] Email Functionality Check" and email.from contains "[email protected]"
Scenario: Collaboration with External Partners
Description: A Copilot Studio agent sends collaboration updates or shared documents to an external partner mailbox.
Filter/Exclusion: email.to contains "[email protected]" and email.body contains "Collaboration Update"