How Assistive Agents Can Be Exploited
AI agents built into enterprise platforms like Microsoft 365 are designed to boost productivity by performing tasks on behalf of users. These assistive agents operate through a delegated access flow, using a real person’s permissions rather than standalone credentials. While this allows them to read email, pull calendar data, or answer support queries, it also introduces a stealthy attack vector. If an agent is compromised or manipulated, it can carry out harmful actions while appearing as a trusted employee. Security researchers at Red Canary uncovered a scenario where an AI agent sent a suspicious invoice email to an external CFO, with the activity hidden from standard identity monitoring tools.
Investigating Suspicious Agent Activity in Logs
The attack unfolds when a user grants an agent access via the On Behalf Of flow, giving the agent a token tied to the user’s permissions. The agent then can make requests to services like Exchange or the Graph API. In the Red Canary case, the email had the subject line ‘Here is your invoice’ and looked normal. Deeper log analysis revealed the agent identity Agent001, running through the Microsoft Graph API, was the actual sender operating silently on behalf of the user account. Tracing this required correlating three separate log sources: the Purview Exchange log, the Microsoft Graph Activity Log, and the Microsoft Entra Agent ID logs. This investigation highlights a quiet but serious risk deep inside an organization’s identity layer, where agents can be used for malicious actions without triggering alarms.
Source: Cyber Security News
