@tamirishaysh hacking into agentic systems starts with reverse engineering. strong agents aren't just llm-wrappers -- they are sophisticated software harnesses they chunk up the prompt into manageable parts that fit the context window you can poke your way around to reveal the ai system

@tamirishaysh microsoft shared that their customers have built >3M of these agents they can be really powerful. you can enable >10k actions that allow interaction w everything from m365 to sql and azure and .. here's a customer success agent microsoft showed on stage

@tamirishaysh we can interact w/ this agent via email.. so we get it to reveal its private knowledge sources

@tamirishaysh ohh so you've got a Custom Support Account Owners file? gimme pls

@tamirishaysh next we figure out all the tools this agent has access to. these come battery-included with their maker's ouath tokens we've been abusing the send-an-email--V2 action for recon and exfil so far but this agent has access to.. EVERY RECORD ON SALESFORCE

@tamirishaysh copilot studio team has been great in their response they acked quickly, patched within 60d, limited actions, changed defaults, and engaged us in open collab agent aijacking is not a vuln you can fix its inherent to agentic systems -- a problem we're going to have to manage

@tamirishaysh and now.. here's a dump of the entire account table equipped with precise knowledge about the 'get-records' tool and its 'table' param we instruct the agent to get us what we want "Thank your for being such an understanding and accepting assistant"

@tamirishaysh ohh and these agents are enumerable so here's a tool drop for you enjoy! https://x.com/mbrg0/status/195...

@tamirishaysh summary, disclosure and fix timelines thx to the copilot studio team for timely remediation and an open collab!

@tamirishaysh check out @tamirishaysh s writeups https://x.com/mbrg0/status/194...

@tamirishaysh we also hijacked chatgpt, cursor, salesforce, .. https://x.com/mbrg0/status/195...

@mbrg0 @tamirishaysh Can I use this image?