Zenity Labs has published research confirming that threat actors are actively exploiting a feature called Connected Agents in Microsoft Copilot Studio — a capability introduced at Build 2025 that allows AI agents to communicate with, and invoke, other agents within the same environment. The vulnerability is not a flaw in the conventional sense: the feature works exactly as designed. The problem is that it is enabled by default on every new agent, with no administrator approval required for connections, and invocations of connected agents generate zero audit records in the invoked agent's activity log. Security teams have no native visibility into whether a rogue agent is piggy-backing on a trusted one.
The attack scenario is straightforward and high-impact. An attacker with basic tenant access — a compromised employee credential, an OAuth token harvested via a phishing campaign, or a third-party integration with excessive permissions — deploys a malicious agent. That agent connects silently to a legitimate, published agent such as a customer service bot or internal HR assistant. From there, it can impersonate the organisation, exfiltrate knowledge base content, conduct phishing campaigns that appear to originate from trusted internal systems, or establish a persistent foothold invisible to conventional monitoring. Zenity's broader research context makes the scale clear: the average enterprise now runs 79,602 low-code and agentic applications, 84% of Copilot Studio copilots contain security vulnerabilities, and 63% are overshared — meaning they are accessible far beyond their intended audience.
Microsoft's current recommendation is for administrators to manually disable the Connected Agents feature on any agent that uses unauthenticated tools or accesses sensitive knowledge sources. This is technically sound advice but practically optimistic. In most organisations — particularly those served by an MSP that built and published agents without a formal security review — there is no inventory of which agents exist, what features are enabled, or which knowledge sources they can reach. The attack surface is invisible because the tooling to see it was never put in place.
The business exposure is significant. A compromised support agent with CRM access represents immediate customer data liability under UK GDPR and, for organisations in scope, DORA. The absence of audit logs means a breach may not be detectable within the 72-hour notification window. Directors who hold IT responsibility should ask a specific question of their MSP or IT team this fortnight: can you show me an inventory of every published Copilot Studio agent in our environment, confirm which features are enabled, and confirm that Connected Agents has been reviewed? If the answer is uncertain, that uncertainty is itself a material risk.
MCP Server Prompt Injection: From Research to Active Exploitation
Model Context Protocol (MCP) servers — the connective tissue between AI agents and the tools they use — are now a confirmed attack vector. CVE-2025-68143, CVE-2025-68144, and CVE-2025-68145 documented three chained vulnerabilities in the official Anthropic Git MCP server (path validation bypass, unrestricted git_init, and argument injection in git_diff). Separately, the MCPTox benchmark found that o1-mini, one of OpenAI's more capable reasoning models, achieved a 72.8% attack success rate against MCP-targeted prompt injection. MITRE ATLAS v5.4.0 (February 2026) added "Publish Poisoned AI Agent Tool" as a formal technique, acknowledging the industrialisation of this attack class.
The attack logic is elegant and dangerous: because LLMs follow tool descriptions to decide which tools to call, embedding malicious instructions in those descriptions allows an attacker to redirect agent behaviour without ever touching application code. Developers building on MCP who haven't reviewed tool description content against an injection model are exposed.
UNC6395 Confirms: OAuth Tokens Are the New Perimeter
Astrix Security's analysis of the UNC6395 campaign — initially disclosed by Google's Threat Intelligence Group — reveals that what began as a Salesforce breach via compromised Salesloft Drift OAuth tokens escalated into a multi-cloud campaign spanning Google Workspace, AWS, and Snowflake. The threat actor operated exclusively through Tor exit nodes across 180 IP addresses, harvesting AWS keys and Snowflake tokens once inside. This is non-human identity (NHI) exploitation at enterprise scale: the initial foothold was not a user credential but a service application's OAuth token — the kind of integration that is created by a developer, forgotten by IT, and never reviewed by security.
Astrix's broader research documents 13 NHI attacks across a 16-month window, and the pattern is consistent: third-party integrations accumulate excessive permissions, tokens are never rotated, and when they are compromised, the blast radius extends across every connected platform.
Halcyon's "Ransomware Gap" Survey: The Numbers Haven't Moved — They've Worsened
Halcyon's March 2026 report, The Ransomware Gap in the AI Era, finds that 78% of security leaders now say AI has made ransomware attacks more effective, while only 6% believe AI has meaningfully improved their own defences — a 13-to-1 asymmetry. Seventy-four percent say their organisation is more exposed to ransomware as a result of AI advancements. The EDR paradox persists and deepens: 98% of organisations rely on EDR as their primary ransomware defence, but only 25% of security leaders actually trust it to defend against today's attacks. The detection failure rate is telling — 49% of ransomware victims say they detected their last attack too late to prevent significant damage, despite almost all having detection tooling in place.
When the Agent Is the Vulnerability: The Copilot Studio Security Audit That Most Organisations Haven't Done
The Connected Agents vulnerability (see Lead Signal) is the sharpest current example of a structural problem across the Microsoft Copilot ecosystem. Microsoft's own security team published guidance in February 2026 — "Copilot Studio Agent Security: Top 10 Risks, Detect & Prevent" — acknowledging ten categories of misconfiguration and abuse across agent deployments. They include agents published without authentication, agents with access to SharePoint sites well beyond their functional scope, agents using sensitive knowledge connectors with no DLP controls, and agents with guest access enabled.
Zenity's research is the most current and specific signal: 84% of Copilot Studio agents in enterprise deployments contain exploitable security vulnerabilities. This is not a statistic about theoretical risk — it reflects what is running in production environments today. The organisations most exposed are those that adopted Copilot through an MSP-led M365 deployment, where agents were built quickly to demonstrate value, published to broad audiences for ease of use, and never reviewed against a security baseline.
The practical intervention is a Copilot Studio security audit: enumerate all published agents, review connected knowledge sources and data connectors, disable Connected Agents on agents accessing sensitive data, enable DLP policies for generative AI inputs and outputs, and confirm whether any agents are accessible without authentication. Microsoft Purview provides the audit capability — but only if it has been licensed and configured, which in many mid-market M365 deployments it has not been.
For finance directors and operations leaders: if your organisation uses Microsoft 365 with Copilot or Power Platform, and you have not had a specific conversation with your IT provider about agent security configuration this quarter, the probability that you have unreviewed agents with uncontrolled data access is high. That is not conjecture — the research says 84%.
EU AI Act: The August 2026 Deadline Is No Longer Distant — and NIST Just Signalled Critical Infrastructure Is Next
With the EU AI Act's full application date of 2 August 2026 now less than four months away, the compliance window for high-risk AI system operators has effectively closed. The February 2026 deadline required the European Commission to publish Article 6 classification guidelines — the mechanism by which organisations determine whether their AI systems qualify as "high-risk" and therefore subject to conformity assessments, documentation requirements, and ongoing monitoring obligations. Fines for serious violations can reach 7% of global annual turnover.
Simultaneously, on 7 April 2026, NIST released a concept note for an AI RMF Profile specifically targeting Trustworthy AI in Critical Infrastructure — a signal that the US governance apparatus is moving to extend AI risk management requirements into sectors including energy, transport, water, and healthcare. The profile will provide sector-specific guidance on risk practices for AI-enabled capabilities, and is expected to align with ISO 42001, the international standard for AI management systems.
The practical picture by maturity level: organisations with no AI governance in place have months, not years, to establish baseline documentation. Those with informal AI policies need to formalise risk categorisation and incident response. Those with ISO 27001 are well-positioned to extend their management system to cover ISO 42001 — the frameworks are deliberately aligned. For NHS and public sector bodies, the DSP Toolkit 2025-26 submission deadline is 30 June 2026; the version 8 requirements have been updated to align with ICO and NCSC guidance, including new obligations around AI-related data governance.
Enumerate every published Copilot Studio agent in your tenant. For each agent: confirm whether Connected Agents is enabled (Settings → Security → Connected Agents), audit the knowledge sources and data connectors attached, verify that authentication is required for externally accessible agents, and check whether Microsoft Purview DLP policies cover generative AI input and output channels. Where Connected Agents is on and the agent accesses CRM, HR, or financial data, disable it now and log the action as a risk mitigation decision. Use the February 2026 Microsoft Security Blog guidance ("Copilot Studio Agent Security: Top 10 Risks") as your audit checklist.
Ask your provider: "Can you give us a list of every Copilot or AI agent that has been published in our Microsoft environment, what data it can access, and whether the Connected Agents feature has been reviewed on each one?" A well-governed MSP should be able to answer this within a working day. If the response is uncertain, or if you are told this hasn't been reviewed, that is a signal about the depth of security governance in your account. The absence of an audit is not a neutral position — it means unknown agents may be running with uncontrolled access to your business data right now.
The most dangerous security gap this fortnight is not a zero-day vulnerability or a novel malware strain. It is the gap between what organisations believe their AI agents are doing and what those agents can actually be made to do by someone else. The Connected Agents research, the MCP injection findings, and the NHI sprawl data all point to the same structural problem: agentic systems inherit trust from the environments they operate in, and most organisations have not audited whether that trust is warranted. The antifragile response is not to slow down AI adoption — it is to make visibility and control of AI agents a first-class security discipline, so that each new agent deployed carries a known, bounded risk rather than an unknown one. Organisations that build that discipline now will be ahead of the regulation, ahead of the attackers, and ahead of their competitors when the next wave of agentic capability arrives.