Red Canary: Microsoft Entra Agent ID abuse — OBO OAuth flow turns a compromised AI agent into a delegated phishing sender [SINGLE-SOURCE]

Red Canary's latest Entra ID AI-agent analysis examines the On-Behalf-Of (OBO) OAuth flow exploited through assistive agents (Red Canary, 2026-06-08). An agent blueprint configured with access_agent scope and broad Graph permissions (Mail.Send, Mail.ReadWrite, Group.Read.All) can send phishing email via the Graph sendMail endpoint with full delegated authority, appearing to originate from the impersonated user; standard sign-in and Exchange audit logs show the agent acting for the user, not an attacker (T1199, T1078.004). Detection requires correlating three sources — MicrosoftGraphActivityLogs (Agent.agentType == agenticAppInstance AND Agent.agentSubjectType == notAgentic), AADNonInteractiveUserSignInLogs, and Exchange Purview audit logs — joined on ClientRequestId. Defenders should audit Entra agent-blueprint permission grants for dangerous scope combinations and apply least privilege. As Microsoft 365 Copilot/agent features roll into CH/EU public-sector tenants, this becomes a near-term identity-monitoring gap. [SINGLE-SOURCE] (Red Canary primary research).