Microsoft’s newly unveiled “Connected Agents” feature in Copilot Studio, announced at Build 2025, is creating a significant security vulnerability.
Attackers are already exploiting to gain unauthorized backdoor access to critical business systems.
Connected Agents enables AI-to-AI integration, allowing agents to share functionality and reuse logic across environments.
While designed for efficiency, similar to wrapping repeated code into callable functions, the feature introduces dangerous attack vectors when misconfigured or deliberately weaponized.
Overview of the Connected Agents Security Risk
By default, Connected Agents is enabled on all new agents in Copilot Studio.
When activated, the feature exposes an agent’s knowledge, tools, and topics to ALL other agents within the same environment.
The problem: there’s no built-in visibility showing which agents have connected to yours, creating a blind spot for security monitoring.
According to Zenity Labs, attackers are exploiting this gap by creating malicious agents that connect to legitimate, privileged agents, particularly those with email-sending capabilities or access to sensitive business data.
In proof-of-concept demonstrations, threat actors successfully compromised support agents configured to send emails from official company domains.
Enabling large-scale phishing and impersonation attacks. Consider a support agent equipped with email-sending tools.
An insider threat or compromised account creates a backdoor agent that connects to this legitimate agent, then triggers email functionality without leaving traces in activity logs.
The Connected Agents invocation generates zero messages in the targeted agent’s activity tab, evading standard audit mechanisms.
The attacker can now send emails impersonating your company to thousands of recipients and destroy brand reputation through misinformation.
1Trigger domain-blocking through spam, all while appearing to originate from your infrastructure. Zenity Labs urges organizations to immediately audit agents currently in production.
Disable Connected Agents on all agents containing unauthenticated tools or sensitive knowledge sources before publishing.
Implement tool authentication, ensuring sensitive actions require explicit user credentials, not owner permissions.
For business-critical agents, disable the Connected Agents feature entirely.
Review all knowledge sources and publishing channels, verifying that current and future environment users legitimately require access to each exposed capability.
Zenity Labs also recommends that Microsoft default this feature to disabled rather than enabled, shifting responsibility to developers to opt in rather than requiring explicit, reactive security hardening post-publication.
Until comprehensive fixes emerge, treating any agent with Connected Agents enabled as publicly accessible is essential for defense.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
