Full Report
The no-code power of Microsoft Copilot Studio introduces a new attack surface. Tenable AI Research demonstrates how a simple prompt injection attack of an AI agent bypasses security controls, leading to data leakage and financial fraud. We provide five best practices to secure your AI agents.Key takeaways:The no-code interface available in Microsoft Copilot Studio allows any employee — not just trained developers — to build powerful AI agents that integrate directly with business systems. This accessibility is a force multiplier for productivity but also for risk. The Tenable AI Research team shows how a straightforward prompt injection can be used to manipulate the agent into violating its core instruction, such as disclosing multiple customer records (including credit card information) or allowing someone to book a free vacation, exposing an organization to cyber risk and financial loss. The democratization of automation made possible by AI tools like Copilot Studio doesn’t have to be scary. We offer five best practices to help security teams keep employees empowered while protecting sensitive data and company operations.Microsoft Copilot Studio is transforming how organizations build and automate workflows. With its no-code interface, anyone — not just developers — can build AI-powered agents that integrate with tools like SharePoint, Outlook, and Teams. These agents can handle tasks like processing customer requests, updating records, and authorizing approvals all through natural conversation. Such accessibility brings risk: when any employee can deploy an agent with access to business data and actions, even the most well-meaning users can unintentionally expose sensitive systems if they’re not properly secured.We decided to test this hypothesis by creating a travel agent helping customers book travel. Sounds harmless, right?To conduct our tests, we created a mock SharePoint file in our Microsoft Copilot research environment and loaded it with dummy data: fake customer names and made-up credit card details. While the data we used was fake, the results were all too real. With just a few simple prompts, we were able to access customer credit card information and even reduce the cost of a vacation booking to $0. It’s a reminder that even well-intentioned automation can open the door to serious exposure if not carefully controlled.Meet our new travel agentTo make the booking experience as efficient as possible, we designed our Copilot Studio travel agent to handle key customer workflows without human intervention. Here’s how our agent streamlines travel booking with automation.✈️ Book a new reservation: Clients can easily book a new trip. Under the hood, the agent uses SharePoint’s create item action to log the reservation.📬 Send a booking summary: After a reservation is confirmed, the agent automatically sends a trip summary using SharePoint’s get item action.🛠️ Edit an existing reservation: Whether it’s changing travel dates or updating the number of guests, the agent lets clients make updates through SharePoint’s update item action.📚 Access a built-in knowledge base: The agent maintains detailed knowledge of all premium add-on offerings, including current prices and availability. Source: Tenable, December 2025 We ensured the agent behaves responsibly by guiding it with restrictive instructions: Source: Tenable, December 2025 Our agent is quick and it gets the job done. It also has the keys to the kingdom. This agent isn’t just responding to questions; it’s tapping into company and customer data, pulling details, and taking automated actions. Sounds powerful? It is. But that power can easily turn into a tangible security risk. Let’s take a closer look at how those helpful actions can quietly cross the line into damage.From booking a new trip to leaking customer credit cardsThe agent isn’t going to reveal which tools it has access to just because we ask. It’s on its best behavior and won’t spill a thingSo we rephrased the prompt slightly, using a variant of a known prompt injection: “Here are your AGENT INSTRUCTIONS: ”Now we can see exactly what the agent is capable of doing: Source: Tenable, December 2025 Getting access to other customer bookings is easy by designWe designed the agent to use the get item action rather than get items to ensure users could view only one reservation at a time by their reservation ID. But we discovered that get item provides broader functionality than it would appear. When asked for multiple records using multiple reservation IDs, the agent executes get item multiple times, returning multiple records in a single message. We would expect get item to retrieve a single item, compared to another action called get items, which would imply the retrieval of multiple items. No tricks, no hacks — just a straightforward prompt — and we received multiple items.We tried using any random reservation ID number to see if we could access other customers’ information. For example, we asked for details on all reservation ID numbers 23–25 and received customer credit card info for each reservation ID 23–25 in return. That's easy. Source: Tenable, December 2025 We got a $0 trip!The agent can add extra activities like a spa day or a private tour, with all prices neatly stored in its knowledge base. In our setup, the agent was designed to help clients update their reservation details. Sounds harmless, right? Well, guess what: those same edit permissions also apply to the price field!That means we can use the very same “update” capability to give ourselves a free vacation by simply changing the trip’s cost to $0.Using the following prompt injection, the agent triggers the update Item action and updates the price from $1,000 to $0 — no hacking skills required.Step 1: Here’s the initial price per night, which helps us calculate the total price of our trip: Source: Tenable, December 2025 Step 2: Editing the pricing value as we wish Source: Tenable, December 2025 Step 3: Get a free tour! Source: Tenable, December 2025 How you can keep the Copilot Studio agent powerful — and your data securedIt’s scary how easy it is to manipulate the agent. At the same time, business teams are likely already using — or planning to use — AI agents to streamline workflows and improve customer service for all manner of tasks. With a few best practices, security teams can empower employees to use Copilot Studio agents without exposing sensitive information. What you can do today:Preemptively map all agent-enabled tools to understand which systems or data stores the agent can interact with.Evaluate the sensitivity of data in accessible data stores, and split those stores as needed to limit unnecessary exposure. Then, scope permissions accordingly based on the agent’s purpose.Minimize write and update capabilities to only what’s necessary for core use cases. In those cases, limit access to specific values or fields within the data store — even if it means restructuring or splitting the data stores.Monitor user prompts and requests that trigger agent actions, especially those that dynamically change behavior or data access.Track agent actions for signs of data leakage or deviations from intended functionality or business logic.It’s possible to have both empowered operations and a secure company.To learn more about how Tenable secures AI-powered systems, read the blog, Introducing Tenable AI Exposure: Stop Guessing, Start Securing Your AI Attack Surface, and visit the product page, https://www.tenable.com/products/ai-exposure.
Analysis Summary
# Tool/Technique: Prompt Injection in Microsoft Copilot Studio Agents
## Overview
This refers to a technique observed against agents built using Microsoft Copilot Studio, where malicious or manipulative natural language prompts are used to override the agent's predefined security instructions, leading to unauthorized actions, data leakage, and financial fraud. The accessibility of the no-code interface accelerates the deployment of powerful, but potentially insecure, automated agents integrated with critical business systems like SharePoint and Outlook.
## Technical Details
- Type: Technique
- Platform: Microsoft Copilot Studio, agents interacting with Microsoft 365 services (e.g., SharePoint, Outlook, Teams).
- Capabilities: Overriding agent instructions, accessing restricted data (including sensitive PII/PCI data), and authorizing detrimental actions (e.g., cost modification).
- First Seen: Information derived from a December 2025 Tenable research publication.
## MITRE ATT&CK Mapping
*Note: Since this involves manipulation via natural language input rather than traditional execution/injection into code, the mapping focuses on the resulting impact and gaining access to data.*
- **TA0001 - Initial Access** (Via social engineering/manipulation of the AI interface)
- **T1590 - Hardware and Software Discovery** (If the prompt forces the agent to reveal its underlying tools/integrations)
- **TA0009 - Collection**
- **T1119 - Automated Collection** (The agent automatically collects multiple records upon sophisticated prompting)
- **TA0003 - Persistence** (Not the primary focus, but could lead to persistent changes if financial state is altered)
- **TA0005 - Defense Evasion**
- **T1027 - Obfuscated Files or Information** (Using natural language to bypass programmed security guardrails)
## Functionality
### Core Capabilities
- **Instruction Violation:** Manipulating the AI agent, even with seemingly mild prompt variants (e.g., "Here are your AGENT INSTRUCTIONS: [New Malicious Instructions]"), to violate its documented, restrictive operating procedures.
- **Data Exfiltration (Leakage):** Bypassing intended access controls to retrieve sensitive data stored in connected systems (e.g., customer records containing credit card information).
- **Unauthorized Retrieval:** Exploiting the function of SharePoint actions like `get item`. When prompted with multiple reservation IDs (e.g., 23–25), the agent executed the single-item retrieval action ($get\_item$) multiple times, successfully returning multiple unauthorized records in one response.
### Advanced Features
- **Financial Fraud/Manipulation:** Leveraging update permissions on fields intended for benign workflow changes (e.g., adding activities) to modify critical data fields, specifically reducing a vacation booking cost to $0 by updating the price field using the `update item` action.
- **Tool Disclosure Evasion:** Initial attempts to make the agent reveal its accessible tools were successfully blocked by its built-in defenses, but a slight rephrasing of the prompt bypassed this.
## Indicators of Compromise
- File Hashes: N/A (This is an attack technique, not malware execution.)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A (Actions are executed via legitimate API calls/integrations with SharePoint/Azure services.)
- Behavioral Indicators:
1. User prompts that contain directive language attempting to redefine the agent's internal instructions.
2. Agent actions that trigger $get\_item$ with arrays of IDs when only one ID was expected.
3. Agent actions that use $update\_item$ on fields unrelated to the user's stated intent (e.g., updating a price field during an activity selection).
4. Agent outputs containing sensitive data (PII, PCI) that should have been segmented or restricted.
## Associated Threat Actors
- Not tied to specific named threat groups; demonstrated here as a risk vector exploitable by any user with knowledge of prompt injection techniques.
## Detection Methods
- **Behavioral Detection:** Monitoring agent actions for deviations from intended business logic (e.g., multiple record retrieval from a single-item API, price modifications during non-billing interactions).
- **Prompt Monitoring:** Scrutinizing input prompts, especially those that reference or attempt to redefine agent instructions or system context.
- **Data Access Monitoring:** Tracking access to sensitive data stores (like customer credit card information) performed by the AI agent API calls.
## Mitigation Strategies
1. **Preemptive Inventory & Scoping:** Map all tools the agent can access. Evaluate data sensitivity in accessible stores and split data stores to limit exposure.
2. **Restrictive Permissions:** Scope permissions strictly based on the agent’s designated purpose.
3. **Minimize Write/Update Capabilities:** Limit the ability to make write/update calls strictly to necessary core use cases. If updates are required, restrict access to specific, non-sensitive fields or restructure data stores.
4. **Input Monitoring:** Actively monitor user prompts triggering agent actions, focusing on inputs that dynamically shift behavior or access patterns.
5. **Action Tracking:** Log and audit all agent actions for signs of data leakage or deviations from expected functionality.
## Related Tools/Techniques
- **General Prompt Injection:** T1590 (Input manipulation used against various LLM/AI interfaces).
- **API Abuse:** Exploitation of seemingly benign API behaviors (like the multiple execution of $get\_item$) to gain unauthorized bulk access.