ctipilot.ch

Red Canary

trend · trend:entra-agent-id-obo-abuse-redcanary single-source

Red Canary: Microsoft Entra Agent ID OBO OAuth abuse turns compromised AI agent into delegated phishing sender

Coverage timeline
3
first 2026-05-25 → last 2026-06-10
Entries
3
3 distinct days
Sources cited
6
5 hosts
Sections touched
2
research, weekly-multi-day
Co-occurring entities
1
see Related entities below

Story timeline

  1. 2026-06-10Red Canary: Microsoft Entra Agent ID abuse — OBO OAuth flow turns a compromised AI agent into a delegated phishing sender
    researchRed Canary: Microsoft Entra Agent ID abuse — OBO OAuth flow turns a compromised AI agent into a delegated phishing sender
  2. 2026-05-30Red Canary: detecting Entra Agent ID privilege escalation — credential injection into agent blueprints enables lateral movement across the entire tenant
    researchRed Canary: detecting Entra Agent ID privilege escalation — credential injection into agent blueprints enables lateral movement across the entire tenant
  3. 2026-05-25AI tooling as lure, attack surface and force-multiplier — the cross-day pattern no single daily framed whole
    weekly-multi-dayAI tooling as lure, attack surface and force-multiplier — the cross-day pattern no single daily framed whole

Where this entity is cited

  • research2
  • weekly-multi-day1

Source distribution

  • redcanary.com2 (33%)
  • microsoft.com1 (17%)
  • permiso.io1 (17%)
  • pushsecurity.com1 (17%)
  • sysdig.com1 (17%)

Related entities

Entries about Red Canary (3)

2026-06-10 · view entry permalink →

Red Canary: Microsoft Entra Agent ID abuse — OBO OAuth flow turns a compromised AI agent into a delegated phishing sender

notable research discovered 2026-06-10 05:00 UTC single-source

Red Canary's latest Entra ID AI-agent analysis examines the On-Behalf-Of (OBO) OAuth flow exploited through assistive agents (Red Canary, 2026-06-08). An agent blueprint configured with access_agent scope and broad Graph permissions (Mail.Send, Mail.ReadWrite, Group.Read.All) can send phishing email via the Graph sendMail endpoint with full delegated authority, appearing to originate from the impersonated user; standard sign-in and Exchange audit logs show the agent acting for the user, not an attacker (T1199, T1078.004). Detection requires correlating three sources — MicrosoftGraphActivityLogs (Agent.agentType == agenticAppInstance AND Agent.agentSubjectType == notAgentic), AADNonInteractiveUserSignInLogs, and Exchange Purview audit logs — joined on ClientRequestId. Defenders should audit Entra agent-blueprint permission grants for dangerous scope combinations and apply least privilege. As Microsoft 365 Copilot/agent features roll into CH/EU public-sector tenants, this becomes a near-term identity-monitoring gap. [SINGLE-SOURCE] (Red Canary primary research).

identity ai-abuse phishing cloud global

2026-05-30 · view entry permalink →

Red Canary: detecting Entra Agent ID privilege escalation — credential injection into agent blueprints enables lateral movement across the entire tenant

notable research discovered 2026-05-30 05:00 UTC single-source

Red Canary published a detection-engineering primer on 27 May 2026 on the AgentIdentityBlueprint.AddRemoveCreds.All role in Microsoft Entra's new Agent ID identity class — autonomous app identities that act in a tenant without human interaction (Red Canary, 2026-05-27). A misconfigured or adversary-controlled agent identity holding this role can add client secrets to any agent blueprint, then authenticate as any agent identity in the tenant — including high-privilege ones — after legitimate credential rotation. The full privilege-escalation chain: agent app → malicious role assignment (AgentIdentityBlueprint.AddRemoveCreds.All) → credential injection into target blueprint → authenticate as high-privilege agent → pivot to all downstream resources that blueprint can access. Relevant log sources: AuditLogs — look for "Update application – Certificates and secrets management" with a non-human InitiatedBy.app.servicePrincipalId; MicrosoftGraphActivityLogs — Graph API calls from agent service principals with unusual IP and UserAgent fields; AADServicePrincipalSignInLogs — filter on Agent.agentType: agenticAppInstance. Correlation: match SignInActivityId from Graph logs to UniqueTokenIdentifier in sign-in logs to reconstruct credential-add-to-authentication chains. MITRE ATT&CK: T1098 (Account Manipulation), T1078.004 (Valid Accounts: Cloud Accounts). Swiss public-sector M365 deployments adopting AI agents via Copilot Studio or Azure AI Foundry should establish baselines for each agent identity's API scope and alert on credential additions to blueprints by any identity other than the provisioning pipeline. [SINGLE-SOURCE]

identity cloud ai-abuse global

2026-05-25 · view entry permalink →

AI tooling as lure, attack surface and force-multiplier — the cross-day pattern no single daily framed whole

notable synthesis discovered 2026-05-25 05:00 UTC

Five separate daily items this week, each minor on its own, line up into the most important emerging pattern of the window: AI products are now simultaneously a lure brand, an attack surface, and an offensive force-multiplier. As a lure: ACR Stealer was distributed through counterfeit Claude AI download pages promoted by malicious search ads (2026-05-26), and a cryptojacking campaign used AI-chatbot search-result poisoning to steer victims to GPU-utility lookalikes that dropped ScreenConnect and process-hollowed miners under a signed Microsoft binary (2026-05-28). As an attack surface: LLMShare malvertising hid fake outage pages inside ChatGPT share links to serve infostealers (2026-05-30); ChatGPhish abused the ChatGPT Markdown renderer's trust of third-party image URLs and links for IP exfiltration and phishing from legitimate chatgpt.com (2026-05-30); and Red Canary detailed Entra Agent ID privilege escalation, injecting credentials into agent blueprints for tenant-wide lateral movement (2026-05-30). As a force-multiplier: Sysdig TRT documented the first observed LLM-agent-driven post-exploitation, moving from a Marimo-notebook RCE (CVE-2026-39987) to internal-database exfiltration in four pivots in under an hour (2026-05-30).

The synthesis for a public-sector SOC: treat AI-brand download and search results as a live malvertising vector (block lookalike domains, prefer vendor-canonical download paths); scope DLP and egress controls to LLM rendering and share endpoints; and govern non-human agent identities (Entra Agent IDs, service-principal-equivalent AI agents) with the same conditional-access and credential-hygiene controls applied to service principals.

ai-abuse phishing infostealer identity cloud global