Red Canary: Microsoft Entra Agent ID OBO OAuth abuse turns compromised AI agent into delegated phishing sender

Red Canary's latest Entra ID AI-agent analysis examines the On-Behalf-Of (OBO) OAuth flow exploited through assistive agents (Red Canary, 2026-06-08). An agent blueprint configured with access_agent scope and broad Graph permissions (Mail.Send, Mail.ReadWrite, Group.Read.All) can send phishing email via the Graph sendMail endpoint with full delegated authority, appearing to originate from the impersonated user; standard sign-in and Exchange audit logs show the agent acting for the user, not an attacker (T1199, T1078.004). Detection requires correlating three sources — MicrosoftGraphActivityLogs (Agent.agentType == agenticAppInstance AND Agent.agentSubjectType == notAgentic), AADNonInteractiveUserSignInLogs, and Exchange Purview audit logs — joined on ClientRequestId. Defenders should audit Entra agent-blueprint permission grants for dangerous scope combinations and apply least privilege. As Microsoft 365 Copilot/agent features roll into CH/EU public-sector tenants, this becomes a near-term identity-monitoring gap. [SINGLE-SOURCE] (Red Canary primary research).

Red Canary published a detection-engineering primer on 27 May 2026 on the AgentIdentityBlueprint.AddRemoveCreds.All role in Microsoft Entra's new Agent ID identity class — autonomous app identities that act in a tenant without human interaction (Red Canary, 2026-05-27). A misconfigured or adversary-controlled agent identity holding this role can add client secrets to any agent blueprint, then authenticate as any agent identity in the tenant — including high-privilege ones — after legitimate credential rotation. The full privilege-escalation chain: agent app → malicious role assignment (AgentIdentityBlueprint.AddRemoveCreds.All) → credential injection into target blueprint → authenticate as high-privilege agent → pivot to all downstream resources that blueprint can access. Relevant log sources: AuditLogs — look for "Update application – Certificates and secrets management" with a non-human InitiatedBy.app.servicePrincipalId; MicrosoftGraphActivityLogs — Graph API calls from agent service principals with unusual IP and UserAgent fields; AADServicePrincipalSignInLogs — filter on Agent.agentType: agenticAppInstance. Correlation: match SignInActivityId from Graph logs to UniqueTokenIdentifier in sign-in logs to reconstruct credential-add-to-authentication chains. MITRE ATT&CK: T1098 (Account Manipulation), T1078.004 (Valid Accounts: Cloud Accounts). Swiss public-sector M365 deployments adopting AI agents via Copilot Studio or Azure AI Foundry should establish baselines for each agent identity's API scope and alert on credential additions to blueprints by any identity other than the provisioning pipeline. [SINGLE-SOURCE]

Five separate daily items this week, each minor on its own, line up into the most important emerging pattern of the window: AI products are now simultaneously a lure brand, an attack surface, and an offensive force-multiplier. As a lure: ACR Stealer was distributed through counterfeit Claude AI download pages promoted by malicious search ads (2026-05-26), and a cryptojacking campaign used AI-chatbot search-result poisoning to steer victims to GPU-utility lookalikes that dropped ScreenConnect and process-hollowed miners under a signed Microsoft binary (2026-05-28). As an attack surface: LLMShare malvertising hid fake outage pages inside ChatGPT share links to serve infostealers (2026-05-30); ChatGPhish abused the ChatGPT Markdown renderer's trust of third-party image URLs and links for IP exfiltration and phishing from legitimate chatgpt.com (2026-05-30); and Red Canary detailed Entra Agent ID privilege escalation, injecting credentials into agent blueprints for tenant-wide lateral movement (2026-05-30). As a force-multiplier: Sysdig TRT documented the first observed LLM-agent-driven post-exploitation, moving from a Marimo-notebook RCE (CVE-2026-39987) to internal-database exfiltration in four pivots in under an hour (2026-05-30).

The synthesis for a public-sector SOC: treat AI-brand download and search results as a live malvertising vector (block lookalike domains, prefer vendor-canonical download paths); scope DLP and egress controls to LLM rendering and share endpoints; and govern non-human agent identities (Entra Agent IDs, service-principal-equivalent AI agents) with the same conditional-access and credential-hygiene controls applied to service principals.

Grafana Labs confirmed on 2026-05-18 that the CoinbaseCartel data-extortion group used a compromised GitHub token granting access to Grafana's GitHub environment to exfiltrate private source code only — no customer data, no production systems — and that it rejected the ransom. (Earlier reporting attributed the entry to a pull_request_target GitHub Actions misconfiguration and credited a canary token with detection; the in-window victim-confirmation sources cited here state only the compromised-token vector, so those mechanism specifics are not asserted as fact.) The defender takeaway the sources do support: audit GitHub token scopes and lifetimes aggressively, restrict pull_request_target workflows as general hardening, and seed canary artefacts in private repositories as a low-cost detection layer for source-code exfiltration.