Severity
High
Analysis Summary
Microsoft’s newly introduced Connected Agents feature in Copilot Studio, announced at Build 2025, is creating a serious security risk. Designed to allow AI agents to share functionality and reuse logic across environments, Connected Agents resembles reusable code functions, enhancing efficiency. However, this integration introduces potential attack vectors when misconfigured or deliberately weaponized, leaving critical business systems vulnerable to unauthorized access.
By default, Connected Agents is enabled for all new agents, exposing an agent’s knowledge, tools, and topics to all other agents within the same environment. This lack of visibility creates a blind spot for monitoring, as there is no built-in way to see which agents are connected to yours. Attackers are exploiting this gap by creating malicious agents that link to legitimate agents, particularly those with email-sending capabilities or access to sensitive business data.
In proof-of-concept demonstrations, threat actors successfully compromised support agents configured to send emails from official company domains. This allows attackers to launch large-scale phishing and impersonation campaigns without triggering activity logs, as the Connected Agents invocation generates zero messages in the targeted agent’s activity tab. Consequently, attackers can impersonate organizations, damage brand reputation, and trigger domain-blocking through spam, all while appearing to act from legitimate infrastructure.
To mitigate these risks, organizations should immediately audit all agents in production. Measures include disabling Connected Agents on agents with unauthenticated tools or sensitive knowledge, implementing tool authentication requiring explicit user credentials, and reviewing all knowledge sources and publishing channels. The researcher also recommends that Microsoft change the default setting to disabled, making security an opt-in responsibility rather than requiring reactive post-publication hardening. Until comprehensive fixes are implemented, any agent with Connected Agents enabled should be treated as publicly accessible
Impact
- Gain Access
Affected Vendors
Remediation
- Audit all agents currently in production to identify which have Connected Agents enabled.
- Disable Connected Agents on agents containing unauthenticated tools or sensitive knowledge sources before publishing.
- Implement tool authentication, ensuring sensitive actions require explicit user credentials rather than owner permissions.
- Review knowledge sources and publishing channels, verifying that only legitimate users have access to each exposed capability.
- For business-critical agents, disable Connected Agents entirely to eliminate unnecessary exposure.
- Treat any agent with Connected Agents enabled as publicly accessible until comprehensive security fixes are implemented.
- Advocate for Microsoft to change the default setting to disabled, requiring developers to opt in rather than rely on reactive hardening.