Microsoft has published many examples of how businesses can build AI agents in Copilot Studio to automate multi-step tasks, without a human in the loop.<\/p>\n
One such example, as shared on YouTube<\/a>, is a customer service agent built by McKinsey & Co..<\/p>\n The AI agent autonomously interacts with customers, scouring internal knowledge bases and data systems to share responses to their queries.<\/p>\n Such a possibility represents a major leap for customer-facing chatbots, which, until recently, relied on rigid decision trees that broke whenever customers went off-script.<\/p>\n Thanks to this tech advancement, Gartner has predicted that agentic AI will solve 80 percent of customer problems by 2029<\/a>.<\/p>\n Microsoft Copilot Studio<\/a> has quickly become a hallmark platform for building AI agents that converse with customers.<\/p>\n Yet, researchers from Zenity, the security and governance platform provider, wanted to test how safe the customer-facing agents built on Copilot Studio are.<\/p>\n As such, the firm created a replica of McKinsey\u2019s model, hooked it to a Salesforce sandbox org, and started \u201cattacking it like it\u2019s the last agent on earth<\/a>.\u201d<\/p>\n The result, shared at DEF CON 2025, proved nothing short of remarkable. Indeed, the researchers made the agent act without human verification, reveal private knowledge and internal tools, \u00a0and share complete Salesforce CRM records.<\/p>\n Since then, the Zenity team has released a video of their attack, showcasing how it breached the AI agent, after Microsoft confirmed the injection no longer works.<\/p>\n<\/p>\n However, while this attack may fail on Copilot Studio agents today, Zenity warns that over 3,500 public-facing agents remain wide open to similar prompt injections.<\/p>\n As such, more examples of \u201cagent aijacking\u201d are just waiting to happen, and it may not be the good guys doing it next around.<\/p>\n Summing up, Michael Bargury, Co-Founder & CTO of Zenity, stated:<\/p>\n Agent aijacking is not a vulnerability you can fix. It\u2019s inherent to agentic AI systems, a problem we\u2019re going to have to manage.<\/p>\n If businesses can\u2019t manage this vulnerability while granting AI agents access to internal systems, they risk large-scale data breaches.<\/p>\n Indeed, the demo highlights how AI agents, without an overarching governance structure, can turn into data extraction tools, attacking CRMs, internal communications, and billing information.<\/p>\n Taking note of this, David Villalon, Co-founder & CEO of Maisa, warned on LinkedIn<\/a>:<\/p>\n For enterprises rushing to deploy autonomous AI: this is your warning. Every autonomous agent with data access is a potential attack vector. The convenience of \u201cno human in the loop\u201d becomes a catastrophic vulnerability when security fails.<\/p>\n \u201cThe gap between AI capability and AI security keeps widening,\u201d continued Maisa. \u201cWe\u2019re building powerful autonomous systems on foundations that hackers can compromise with clever prompts.\u201d<\/p>\n Given this, Maisa suggested that it might be time for brands to reconsider what \u201cautonomous\u201d means in enterprise AI, especially regarding customer-facing use cases.<\/p>\n More Attacks on Salesforce Data<\/p>\n While the ethical attack on the Copilot-built AI agent may not have spewed out any real Salesforce records, other recent not-so-ethical attacks have.<\/p>\n Crucially, these are not the fault of Salesforce\u2019s security posture. Instead, they target the people using Salesforce\u2019s software through more conventional human-centric means.<\/p>\n The latest attack targeted Workday. As shared in a company blog post<\/a> last week, bad actors contacted employees \u201cpretending to be from human resources or IT.\u201d<\/p>\n In doing so, they stole \u201csome information from our third-party CRM platform\u201d, which Bleeping Computer has since asserted was Salesforce.<\/p>\n