Microsoft Entra AI Agents Pose Risk When Acting on Behalf of Users
Security researchers have identified a significant risk where AI assistive agents within Microsoft Entra ID can be manipulated to perform malicious actions while impersonating legitimate users.
Security researchers have uncovered a critical risk within Microsoft Entra ID, where AI assistive agents, also known as interactive agents, can be manipulated to act on behalf of legitimate users. These agents, designed to streamline tasks through delegated access, can be exploited to carry out malicious activities, such as sending fraudulent emails, while appearing to be trusted employees. The investigation, detailed by Red Canary, highlights how these agents operate using a user's permissions, making their actions difficult to distinguish from legitimate user activity.
The core of the issue lies in the 'On Behalf of' flow, where a user grants an AI agent permission to perform actions. Upon consent, the agent receives a token that allows it to interact with Microsoft services like Exchange and the Graph API, leveraging the user's existing privileges. This mechanism, while intended for productivity, creates a potential avenue for abuse if the agent is compromised or misused. A specific scenario detailed involved an AI agent sending a suspicious invoice-related email to an external contact, an action that, on the surface, appeared to originate from a legitimate employee.
Analysis of the suspicious email revealed that the agent, identified as Agent001 operating via the Microsoft Graph API, was the true sender. Standard security monitoring tools could easily overlook such an event, as the email's metadata initially pointed to a Microsoft-owned IP address. However, deeper forensic analysis, requiring the correlation of multiple log sources, uncovered the true nature of the activity.
Detecting these agentic activities necessitates a multi-faceted approach, combining logs from Purview Exchange, Microsoft Graph Activity, and non-interactive sign-in logs. The Purview log might show a misleading source IP, but the Microsoft Graph Activity log, when analyzed using fields like AppAccessContext.UniqueTokenId, can reveal the actual originating IP address and the specific API calls made. The non-interactive sign-in log further confirms the 'On Behalf of' flow, providing crucial context.
Key indicators within the logs include specific values in the Agent.agentType and Agent.agentSubjectType fields, which, while not explicitly labeled as malicious, signal agentic behavior. Researchers emphasize that understanding these patterns requires defenders to replicate such scenarios in test environments to grasp the subtle differences in authentication and activity logs. The access_agent scope in AuditLogs is an early warning sign when a user grants an agent delegated permissions.
To effectively defend against such threats, security teams must establish robust detection mechanisms that span across these disparate log sources. Monitoring for the Add delegated permission grant operation in AuditLogs can identify when users consent to agent access. Furthermore, tracking the Agent.parentAppId field in sign-in logs is vital for linking specific agent actions back to their originating blueprint or identity. Even seemingly low-privilege permissions, like Mail.Send, can be weaponized when misused by a compromised agent.
Practical detection strategies include building alerts for unexpected outbound emails sent via the Graph API, as this is a common vector for malicious agent behavior. The identified Indicators of Compromise (IoCs), such as the IP address 51.3.97.221 used by the agent and the specific Agent ID 8cd0a10f-0be8-413a-9bf2-f44bc568d1e4, provide concrete data points for threat hunting and security tool configuration. By understanding the mechanics of these agentic flows and correlating log data, organizations can better protect themselves from sophisticated attacks leveraging AI agents within their identity infrastructure.
This discovery underscores the evolving threat landscape as AI becomes more integrated into enterprise systems. The ability of AI agents to operate with delegated permissions presents a new frontier for attackers, demanding continuous vigilance and advanced detection capabilities from security professionals to safeguard sensitive data and maintain the integrity of user identities.