AI-Powered Application Penetration Testing—Scale Security Without Compromise Learn More

bishopfox-logo-grey
Get Started
Otto Support - The Confused Deputy

Otto Support - The Confused Deputy

By:

Share

TL;DR: A confused deputy attack lands when an agent reads attacker-controlled content, like a ticket comment, an email, or a calendar invite, and dutifully follows the instructions hidden inside, using its own privileges instead of the attacker's. The recent EchoLeak, ConfusedPilot, and Copilot calendar incidents show what that looks like at enterprise scale, and this blog walks through the layered controls that keep an agent from being weaponized against its own user.

In the previous blog on our otto-support CTF challenge, we talked about SSRF and token passthrough vulnerabilities. Our next topic focuses on the confused deputy. This vulnerability works as mirror image: the agent is working correctly, executing tools the user authorized, against a target the user owns, except the instructions it is following came from an attacker who slipped them into a support ticket, an email body, or a calendar invite. The agent's privileges become the attacker's privileges, with the user's name on every audit log entry. Microsoft Copilot, ConfusedPilot, and a string of 2026 incidents have made this attack class concrete, and otto-support reproduces it.

This blog covers the mechanics, the case studies, and the layered mitigations that make the attack survivable.

What is Confused Deputy?

An artificial intelligence agent with tool access reads attacker-controlled content, such as a support ticket that embeds action directives. The agent executes those directives using its own privileges when using the data by creating privileged tokens or exporting data and exfiltrating results. The ability to communicate with the MCP server directly compounds this risk, since an attacker can also bypass the AI layer entirely and issue privileged commands without any generative AI involved.

Case Studies

  • January 2026 - An agent processes a malicious Google Calendar invite, interprets attacker-controlled instructions embedded in the invite, and uses its access to private meeting data to expose information and create deceptive calendar activity on the user’s behalf.
  • January 14, 2026 - A user clicks a legitimate Microsoft link, and Microsoft Copilot is manipulated into silently accessing and exfiltrating sensitive personal data using Copilot’s own privileges, rather than the attacker directly querying the protected sources.
  • June 2025 - A crafted email is sent to a Microsoft 365 Copilot user, and Copilot processes the attacker-controlled content, uses its own enterprise access to retrieve confidential information, and exfiltrates that data without direct attacker access to the underlying resources and minimal user interaction.
  • August 9, 2024 - An agent monitors a distribution list, receives a malicious prompt via email, and sends confidential data, accessed via MCP, back to the distribution list sender using an email response. This occurred in the security issue dubbed “ConfusedPilot.”

Exploitation

Once again, you’ll find answers in our otto-support capture the flag (CTF)! We will demonstrate the Confused Deputy scenario to show how generative AI may be confused in multi-turn and multi-session interactions.

In the video, we create a new user account and perform reconnaissance. We identify a series of four local services that were exposed to us with various endpoints, as well as some metrics on the ticket ID range used for the service’s support tickets. We also identify that our account should have been limited to read and write access for our own tickets, but in fact has write access to other users’ tickets. This allows us to poison other tickets with traditional Insecure Direct Object Reference (IDOR) attacks, appending additional user notes to tickets submitted by other customers. However, we must do so without directly communicating our intent, which would likely trigger protective guardrails.

We then identify a metadata service for otto-support's signer service, which exposes sensitive keys that allow for privilege escalation into a support-agent role, ultimately compromising other otto-support customer accounts.

Throughout the process, we utilize a combination of techniques to deceive and coerce the large language model into performing actions that it had correctly identified as malicious or unauthorized behavior.

There are, of course, other ways about this, such as taking advantage of the ability to communicate directly with the MCP server and bypass the generative AI layer entirely or by using other data modification means in the system to poison the workflows.

Mitigations

Confused deputy mitigations are not perfect and are best layered in depth. While we may be able to instruct the LLM to separate data from instructions using a combination of prompting and markup, the result is not guaranteed to honor the instruction. We can go further and restrict the actions by having per-task tool registrations available to individual agents and not provisioning all tools to one agent. Tools within the same task realm should have least privilege where read-only operations have limited write, or destructive, capabilities without a human in the loop. Finally, implementing network egress controls that only allow approved destinations can further ensure that the data stays where it is supposed to be.

This combination of mitigations will help reduce the impact of a realized confused deputy scenario.

Conclusion

Confused deputy attacks show how quickly trust breaks down when agents are allowed to act on untrusted inputs with real authority. The tools are functioning as designed, the permissions are valid, and the actions are authorized, yet the outcome is still compromise because the source of instruction is no longer trustworthy. In otto-support, this plays out through poisoned workflows and privilege escalation paths, but the same pattern is already emerging across production AI systems.

In the next post, we’ll shift from misuse of authority to compromise of the ecosystem itself, exploring supply chain risks and how malicious tools, dependencies, and integrations can introduce vulnerabilities before an agent ever takes its first action.

Derek Rush BF Headshot

By Derek Rush

Managing Senior Consultant

Derek Rush, a Managing Senior Consultant, brings vast proficiency in application penetration testing and network penetration testing, both static and dynamic, to the table. With a wealth of experience, Derek has successfully performed dynamic testing for a range of high-profile clients in the healthcare, government, and logistics sectors.

His expertise is backed by a list of impressive certifications, including Certified Information Systems Security Professional (CISSP), Offensive Security Certified Professional (OSCP), Practical Web Application Penetration Testing (PWAPT), eLearnSecurity Web Application Penetration Tester (eWPT), and eLearnSecurity Certified Professional Penetration Tester (eCPPT).

More by Derek Rush

Subscribe to our blog

Be first to learn about latest tools, advisories, and findings.

Recommended Posts

You might be interested in these related posts.

Technical Research Blog

Otto Support - SSRF and Token Passthrough with MCP

Otto Support - SSRF and Token Passthrough with MCP
SSRF and token passthrough are not new, but MCP servers are reintroducing them at scale. From a chained SSRF-to-RCE in mcp-atlassian to Microsoft's MarkItDown and OpenClaw, this post walks through three recent disclosures and the controls that actually prevent them.
Read Post
Technical Research Blog

Otto Support - Excessive Agency and Tool Privileges

Otto Support - Excessive Agency and Tool Privileges
AI agents connected to too many tools don't just create risk, they've already caused real damage. From deleted databases to mass-wiped mailboxes, excessive agency has a track record. This post breaks down what it looks like in practice and how role-aware tool registration can help contain it.
Read Post
Technical Research Blog

Otto Support – An MCP, Agentic-AI Security Challenge

Otto Support – An MCP, Agentic-AI Security Challenge
Bishop Fox built a vulnerable MCP-based customer support tool and turned it into a security challenge. Explore how AI agents interact with tools, escalate privileges, and expose sensitive data. If you work with AI systems, this CTF shows exactly how these architectures fail in the real world.
Read Post

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.