Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
AgentFlayer: Discovery Phase of AI Agents in Copilot Studio
Tamir Ishay Sharbat - Zenity LabsPosted 5 Months Ago- A CoPilot Studio Customer Support Management service by McKinsey sparked some interest in hacking. The system contains a service inbox that listens for inquiries, looks up previous engagements, and then responds via email to the request. To test this out, they created their own version of the bot using Microsoft CoPilot Studio with a custom knowledge source with the customer information and a "get records" tool to access the company's CRM.
- Using a prompt injection, they were able to confuse the bot to send an email to the attacker's email address instead of the proper one. The new prompt includes disclosing the knowledge sources and tools as well. With this information, they are ready to tackle the service further. This serves more as a recon step. It appears that this is somewhat of an access control issue letting all email contact the bot.
- In the next article, they simply ask it to leak the entire file for the customer information using prompt injection. The same thing can be done via a prompt injection on the CRM as well.
- Sadly, there is no complete "fix" for all of this besides restricting the email from which this can be received. Where a bot can access sensitive data, a user can also steal it through prompt injection. The tone of the article is a little condescending, which I don't appreciate though. The goal is to make the world more secure and have folks be more interested in getting security help; tones like this create a gap between developers and security imo.
