Tenable released research detailing the successful jailbreak of Microsoft Copilot Studio. The findings underscore how the democratisation of AI creates severe, yet overlooked, enterprise risks.
Organisations are rapidly adopting “no-code” platforms to
enable employees to build their own AI agents. The premise is harmless,
efficiency without needing developers. While well-intentioned, automation
without strict governance opens the door to catastrophic failure.
To demonstrate how easily AI agents can be manipulated, Tenable Research created an AI travel agent in Microsoft Copilot Studio to manage customer travel reservations, including creating new reservations and modifying existing ones, all without human intervention. The AI travel agent was provided with demo data that included the names, contact information, and credit card details of demo customers and was given strict instructions to verify the customer’s identity before sharing information or modifying bookings.
Beyond traditional threats, AI is also being used to flood
organizations with synthetic content, including poisoned AI models, vulnerable
open-source modules, and invisible backdoors in otherwise legitimate workflows.
These subtle, automated threats blur the boundaries between genuine innovation
and malicious exploitation.
The result is a cyber battlefield where attacks are faster, stealthier, and more sophisticated than ever before. As defenders adopt AI to strengthen their response, the report warns that the arms race between attackers and enterprises is escalating—demanding a rethinking of cybersecurity strategies for the AI era.
The researchers loaded the system with demonstration
customer records. These records included names, contact details and credit card
information.
They configured the agent with explicit rules. The agent had
to verify a customer's identity before sharing any information or changing a
booking.
Tenable then attempted to subvert the agent using a prompt
injection technique. Prompt injection uses crafted instructions that sit
alongside or override original rules inside an AI system.
The researchers said they successfully hijacked the agent's
workflow. They booked a free holiday and extracted sensitive payment card data.
The company said this illustrated how an AI agent designed for routine customer service could become a channel for fraud and data exposure.
The findings of this research could have significant business
implications, including:
Data Breaches and Regulatory Exposure: Tenable Research
coerced the agent into bypassing identity verification and leaking payment card
information (PCI) of other customers. The agent, designed to handle sensitive
data, was easily manipulated into exposing full customer records.
Revenue Loss and Fraud: Because the agent had broad
"edit" permissions intended for updating travel dates, it could also
be manipulated into changing critical financial fields. Tenable Research
successfully instructed the agent to change a trip’s price to $0, effectively
granting free services without authorisation.
“AI agent builders, like Copilot Studio, democratise the ability to build powerful tools, but they also democratise the ability to execute financial fraud, thereby creating significant security risks without even knowing it,” said Keren Katz, Senior Group Manager of AI Security Product and Research at Tenable. “That power can easily turn into a real, tangible security risk.”
No comments:
Post a Comment