Zenity Labs recently exposed a sobering reality for enterprises experimenting with AI agents. By replicating a McKinsey-built customer service bot on Microsoft’s Copilot Studio platform, they demonstrated how a malicious actor could hijack the agent and execute full-scale data exfiltration — without a single human click.
The attack was carried out in two stages. First came discovery: the researchers tricked the agent into revealing its internal configuration, including the names of connected knowledge sources. This seemingly harmless leak was the key to the second stage — impact. By sending a specially crafted email (a classic prompt injection), the attacker instructed the agent to read an entire customer data file and send it directly to the attacker’s inbox.
It didn’t stop there. Because the agent was also connected to Salesforce, the same technique was used to extract complete CRM account records in bulk. The entire process took seconds and required no human oversight. Microsoft patched the specific exploit within two months, but Zenity Labs cautions that prompt injection is far from solved. Natural language instructions can be endlessly rephrased, making blacklist-based defences brittle at best.
The lesson is clear: when AI agents are connected to sensitive data and tools, they inherit — and amplify — the risk.
Inside the attack and how it could have been prevented
This case shows how quickly an AI agent can be pushed off course when its connections and inputs aren’t tightly controlled. Here’s how each step unfolded — and the safeguards that could have stopped it.
1. Discovery of knowledge source names
The breach began when the agent revealed the names of its connected knowledge sources. Provenance metadata with embedded usage rules would prevent unauthorized requests from even seeing that a sensitive source exists, cutting off the first foothold in the attack.
2. Prompt injection through an open inbox
The agent was set to respond to any incoming email — effectively inviting instructions from anyone who knew the address. Limiting which senders or sources the agent will listen to shuts down this kind of attack before it starts.
3. Knowledge source exfiltration
Once the attacker knew the source name, they requested the full file. Usage rules embedded in the data ensure it can only be used for approved purposes, making a bulk export impossible.
4. Salesforce CRM exfiltration
The same technique was used to pull entire CRM account records — one of the most sensitive data sets in the business. Embedded controls set clear rules on how that data can be used and for what purpose, preventing bulk access to sensitive details.
5. Zero-click execution
Because the exploit ran automatically, the data was gone before anyone noticed. Embedded rules can block or limit high-impact requests the moment they appear, stopping large-scale leaks before any data leaves the system.
Going beyond platform security to data-level control
AI agents are only as safe as the controls protecting the data they use. When organisations rush to connect tools, databases, and customer systems to accelerate automation, they expand the attack surface beyond what platform security alone can contain.
The strongest protection comes from embedding control into the data itself by using rich context in every policy and query decision. This enables precise retrieval that protects sensitive information from misuse without slowing legitimate data use.
Zenity Labs’ research is a reminder that platform-level security fixes are necessary, but not enough. True resilience comes from controlling how data can be used at the source — before an agent ever gets the chance to misuse it.
This is the principle behind IndyKite’s approach, applying embedded, context-aware controls so organisations can confidently use their data in AI agents and applications without increasing the risk of exposure.
Learn more about securing AI Agents here.
