As organizations rush to plug AI agents into Microsoft Entra, the company's identity platform, security teams are facing a new kind of actor in their logs: software agents that can take actions on a real person's behalf, including sending email. Researchers at Red Canary have walked through how that capability could be abused, and, just as importantly, how defenders can investigate it.
Microsoft's Entra Agent ID lets an AI assistant operate through what is called an on behalf of (OBO) flow. After a user consents, an assistive agent, such as a support or research helper running in a chat interface, can act using a blend of its own permissions and the roles assigned to that user. Microsoft caps what agents can be granted, so the most dangerous permissions are off limits, but that does not mean an agent cannot be steered, or hijacked, into doing something harmful within the access it does have.
The scenario
Red Canary's Matt Graeber lays out a case where an agent identity sends an email with invoice in the subject line to an outside address, the kind of message that, in a real intrusion, could signal business email compromise or data theft. The catch is that, at first glance, the activity is logged under the human user the agent was acting for, which can mislead an investigation about who actually did what, and from where.
Why it matters for defenders
The core lesson is that AI agent activity does not fit neatly into the human user or the traditional service account buckets that detection rules are usually built around. Telling a complete and accurate story requires stitching together several Microsoft log sources: the Purview Exchange audit log that records the email being sent, the Microsoft Graph activity log that reveals the true originating IP address behind the request, and the non interactive sign in logs that confirm an agent was operating on behalf of a user. Microsoft does not flag the authentication type outright, so analysts have to infer it from subtle fields, such as whether the sign in is marked as an agentic app instance.
What you should do
Teams adopting Entra agents should make sure these log sources are being collected and retained, and build detections that can tell apart autonomous agents, agents impersonating a user, and agents acting on a user's behalf. Treat an agent sending external email, registering credentials, or touching mailboxes as activity worth reviewing, and tightly govern which agents users are allowed to grant access to in the first place. As agent adoption grows, the ability to recognize and reconstruct this behavior is becoming a core detection skill, especially as attackers already abuse trusted collaboration channels through IT helpdesk phishing over Microsoft Teams.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.