Copilot Agents Gain Real-Time Defender Checks

Microsoft Defender researchers describe webhook-based runtime inspections that monitor Microsoft Copilot Studio agents' tool invocations in real time to detect and block malicious or unintended actions. Defender evaluates invocation context, intent, and orchestration outputs before allowing execution, enabling security teams to stop prompt-injection exfiltration and enforce policies without altering agents' internal logic.
Key Points
- 1Describe webhook-based runtime inspections for Copilot Studio agents that evaluate each tool invocation context.
- 2Highlight risk where adversaries manipulate orchestrator plans via prompt injection to exfiltrate data or trigger actions.
- 3Enable security teams to block unsafe tool invocations in real time, improving observability and control.
Scoring Rationale
Official Microsoft Defender integration provides strong runtime security, limited mainly by focus on Copilot Studio and webhook-based checks.
Sources
Public references used for this report.
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems
