.svg){kind=spacer}
February 1, 2026
Microsoft’s post argues that AI agents introduce a new kind of “runtime risk”: once an agent is deployed, it can access sensitive data and carry out privileged actions simply by following natural-language instructions. That means attackers don’t always need to “hack” a system in the traditional sense—if they can influence the agent’s plan (for example through prompt injection or embedded instructions in content the agent reads), the agent may perform harmful actions while still staying within its allowed permissions, making the abuse harder to spot with classic controls. The article breaks an agent’s attack surface into three practical pieces—topics (conversation flows), tools (connectors/actions the agent can invoke), and knowledge sources (enterprise content it can retrieve)—and explains that generative orchestration can dynamically chain these at runtime, increasing the chance of unintended action sequences.
To mitigate this, Microsoft describes real-time “agent runtime protection”: in Copilot Studio, each tool/topic/knowledge invocation can trigger a webhook to Microsoft Defender, sending context about the planned action (parameters, prior-step outputs, user context, triggering content). Defender then evaluates the intent and destination and decides to allow or block before execution. The post illustrates this with three scenarios: (1) a finance agent triggered by inbound email is tricked by hidden instructions to query sensitive knowledge and send it out—Defender blocks the knowledge lookup; (2) a SharePoint document is poisoned to trick an agent into reading a file the attacker can’t access and emailing it externally—Defender blocks the email step using threat intelligence; and (3) a public support chatbot is probed with crafted prompts to enumerate capabilities—Defender detects the reconnaissance pattern and blocks resulting tool invocations to prevent data access or exfiltration.
