Copilot Actions

Why is Copilot on my Website?

Copilot Actions shows up on your properties when users ask Copilot to “do it for me” instead of doing the work themselves. Microsoft’s consumer blog frames this as Copilot “taking real actions on your behalf across the web,” such as booking, ordering, and scheduling from a single prompt.

Typical scenarios include:

• Booking and reservations: Asking Copilot to find and book restaurants, hotels, or activities on partner sites such as Booking.com, OpenTable, Expedia, or 1-800-Flowers
• E-commerce: Having Copilot search, compare, and purchase items, including from non-partner sites via Actions in Edge or Web Actions
• Form-based workflows: Registration, sign-up, or other repetitive flows where Copilot fills inputs and submits forms on behalf of the user
• Multi-step browsing: Copilot navigating search results, product pages, and checkouts with little or no direct click-by-click involvement from the user

From a detection and governance perspective, this traffic looks like a real browser session or a legitimate API client, but the “driver” is an AI agent acting from a single user prompt.

What is the Business Impact of Copilot Actions?

Opportunities

If governed correctly, Copilot Actions can:

• Make complex flows (bookings, registrations, comparisons) more accessible by letting users “speak the task” instead of clicking through every step
• Increase agentic commerce opportunities, where Copilot becomes a purchasing interface that routes high-intent users to your site
• Reduce friction for support-like journeys (finding policies, FAQs, product docs) that Copilot can navigate for the user

HUMAN’s analysis of agentic traffic patterns shows rapid growth in agent-driven commerce and workflow automation across the ecosystem, not just from a single provider. See: AI Agent Statistics and Agentic Commerce.

Risks

At the same time:

• Actions in Edge and Web Actions are explicitly labeled as preview and can be misled by on-page instructions, misinterpret prompts, or behave unexpectedly
• Connector-based actions in Microsoft 365 Copilot have already seen serious vulnerabilities that turned Copilot’s broad access into a data-exfiltration and OAuth-abuse surface, even though Microsoft has issued patches and mitigations
• There is no signed HTTP identity for Copilot Actions traffic, so uncontrolled agentic sessions can blend with normal human sessions unless you actively classify and govern them

With AgenticTrust, you don’t have to pick between “full block” and “full trust.” You can allow Copilot Actions to help users with low-risk tasks, while strictly constraining what it can change.

Key Security Concerns for Copilot Actions

Copilot Actions bring powerful automation to both browsers and enterprise systems, but Microsoft’s own documentation and recent security research make clear that these capabilities are not yet fully robust and require careful governance. The primary risks include:

Prompt Injection and Manipulated Content

Microsoft explicitly warns that both Actions in Edge and Copilot Web Actions—the browser automation features—are susceptible to malicious on-page instructions and misinterpretation of user intent.
Support documentation states:

“Actions in Edge Preview may misinterpret your instructions, make significant mistakes, or be deceived by malicious instructions hidden on web pages. Always monitor its behavior closely.”
Source:

A nearly identical warning appears for Copilot Web Actions.

Browser-Session Privileges and Screenshot Exposure

Actions in Edge uses the user’s own Edge browser profile, giving Copilot access to:

• Browsing session cookies
• Signed-in sessions to your site
• Everything visible in the active tab via screenshots

Microsoft notes that screenshots and interaction logs may be retained for up to 30 days (though not used for training).

Copilot Web Actions, which runs a live cloud browser visible inside Copilot, inherits similar privileges within its virtual session. This means Copilot can act with the user’s full authenticated context unless your site’s controls deliberately prevent it.

Connector Over-Permissioning and Enterprise Attack Surface

For enterprise tenants, Microsoft 365 Copilot Actions rely on Power Platform connectors and Copilot Studio agents. These agents can read and modify data in systems such as email, calendars, CRM, and internal APIs.

Two recent research efforts reveal that this surface is already being targeted:

EchoLeak (CVE-2025-32711)

A zero-click vulnerability discovered by Aim Security showed that Microsoft 365 Copilot could be manipulated via indirect prompt injection in email metadata to exfiltrate user data without any interaction.

CoPhish

Datadog Security Labs demonstrated how malicious or compromised Copilot Studio agents can steal OAuth tokens and gain unauthorized access to email, chat, calendar, and file systems under the victim’s privileges.

These findings underscore that the service-side action surface, not just the browser agent, is a meaningful security concern. Even patched exploits demonstrate that Copilot’s “action-taking” layer remains an attractive target for attackers.

No Signed Identity for Web Traffic

Unlike certain agents (e.g., ChatGPT Agent), Copilot Actions does not currently provide HTTP signatures or a cryptographically verifiable identity.

Traffic from Actions in Edge or Web Actions therefore appears as ordinary browser traffic, making UA-based or IP-based controls ineffective. Reliable governance requires behavioral classification and policy enforcement rather than static allowlisting.

How To Detect Copilot Actions

Because Copilot Actions does not present a unique, verifiable identity, detection must focus on behavior and context rather than static strings.

Note: While these behavioral and session-level indicators describe how AI agent traffic differs from human traffic, reliably detecting Copilot Actions in production is extremely challenging without dedicated agentic-automation detection. Traditional logs, WAFs, and manual analysis cannot distinguish these sessions at scale. HUMAN AgenticTrust applies purpose-built AI agent detection to classify this traffic accurately and enforce policy in real time.

Browser-Like Automation

Actions in Edge and Web Actions both use full browser instances and interact the same way a person would: via mouse clicks, scrolling, and typing. That means:

• Requests look like a genuine Edge/Chromium user in protocol and TLS
• There may be subtle fingerprints tied to helper scripts, extension behavior, or tab usage, but nothing as simple as a bot UA

HUMAN’s research on AI agent signals shows that even agentic traffic built on top of traditional automation libraries still leaves detectable patterns in navigation rhythm, mouse movement, and DOM-level artifacts.

Session and Path Patterns

On your properties, Copilot-driven sessions are more likely to show:

• Highly structured multi-step sequences (search → product pages → checkout) executed with relatively consistent timing
• Repeated attempts at the same flows when a prompt is retried
• A small number of users generating disproportionately dense browsing or transaction attempts

Connector and API Behavior

Where Copilot Actions use connectors to hit your APIs (for example via Microsoft 365 Copilot), you will see:

• Calls from Microsoft-owned IP ranges or service principals
• Repeated, structured queries characteristic of agentic workflows
• Potential overuse when actions are configured too broadly

Should I Block Copilot Actions?

Copilot Actions is useful to your customers, but it is not a trusted, signed agent. Treat it as powerful, unverified automation that acts with real user privileges. The goal is to allow beneficial activity while protecting critical systems.

Classification First

Treat Copilot Actions traffic as AI agent sessions:

• Browser-based Actions: classify as agentic automation in a real browser
• Connector-based Actions: classify by source (Microsoft 365 Copilot, connectors, or Copilot Studio agents) where visible

Granular Permission Management

Control what Copilot-driven agents can do, instead of making a single allow/block decision.

For Copilot Actions hitting your web properties, a typical pattern is:

• Allow “Content & Products” so Copilot can browse public pages, product listings, and marketing content
• Consider allowing “Engage” and “Account Creation” if you want Copilot to help users sign up or start low-risk flows
• Default to Deny for “Login,” “Change Account,” and “Checkout” unless you explicitly want Copilot to execute authenticated or transactional actions on your behalf

Rate Limiting

Because Copilot Actions compress many steps into short time windows, set per-agent rate limits:

• Define a maximum number of requests per minute per session for Copilot-like agents
• Apply stricter thresholds to routes that are sensitive to volume (search, cart operations, inventory checks, or quote calculations)

AgenticTrust enforces these ceilings at runtime, preventing a single user delegation from becoming a load or abuse problem.

Behavioral Visibility

Monitor Copilot traffic to understand:

• Top routes targeted by Copilot-driven sessions
• Distribution of sensitive activities attempted (for example, login or checkout attempts)
• Ratios of allowed vs blocked sessions over time

Real-Time Enforcement

Block sessions when Copilot Actions attempts activities outside the permissions you have granted:

• If an agent attempts a Login operation and you have not allowed Login for that agent, the session is blocked
• If it attempts Checkout with only Content & Products permitted, the session is blocked

Build Trust in the Agentic Era

AI agents are already reshaping how users browse and buy. With AgenticTrust, you see every agentic session, govern what each agent can do, and protect critical flows without blocking legitimate user intent.

See. Govern. Grow.

Ready to manage Copilot Actions on your terms? Request a demo to learn how AgenticTrust turns agent activity into trusted engagement.