Microsoft has published many examples of how businesses can build AI agents in Copilot Studio to automate multi-step tasks, without a human in the loop.<\/p>\n
One such example, as shared on YouTube<\/a>, is a customer service agent built by McKinsey & Co..<\/p>\n The AI agent autonomously interacts with customers, scouring internal knowledge bases and data systems to share responses to their queries.<\/p>\n Such a possibility represents a major leap for customer-facing chatbots, which, until recently, relied on rigid decision trees that broke whenever customers went off-script.<\/p>\n Thanks to this tech advancement, Gartner has predicted that agentic AI will solve 80 percent of customer problems by 2029<\/a>.<\/p>\n Microsoft Copilot Studio<\/a> has quickly become a hallmark platform for building AI agents that converse with customers.<\/p>\n Yet, researchers from Zenity, the security and governance platform provider, wanted to test how safe the customer-facing agents built on Copilot Studio are.<\/p>\n As such, the firm created a replica of McKinsey’s model, hooked it to a Salesforce sandbox org, and started “attacking it like it’s the last agent on earth<\/a>.”<\/p>\n The result, shared at DEF CON 2025, proved nothing short of remarkable. Indeed, the researchers made the agent act without human verification, reveal private knowledge and internal tools, \u00a0and share complete Salesforce CRM records.<\/p>\n Since then, the Zenity team has released a video of their attack, showcasing how it breached the AI agent, after Microsoft confirmed the injection no longer works.<\/p>\n