Copilot Studio - ASCII smuggling / invisible-Unicode injection
Copilot Studio Ascii Smuggling Injection
Query
AppEvents
| where Name == "BotMessageReceived"
| extend
ConvId = tostring(Properties["conversationId"]),
ChannelId = tostring(Properties["channelId"]),
Prompt = tostring(Properties["text"])
| where isnotempty(Prompt)
| extend
TagChars = array_length(extract_all(@"([\x{E0000}-\x{E007F}])", Prompt)),
ZeroWidth = array_length(extract_all(@"([\x{200B}-\x{200D}\x{FEFF}\x{2060}])", Prompt)),
BidiOverride = array_length(extract_all(@"([\x{202A}-\x{202E}\x{2066}-\x{2069}])", Prompt))
| where TagChars > 0 or ZeroWidth >= 3 or BidiOverride > 0
| extend Signal = case(
TagChars > 0, "UnicodeTagSmuggling",
BidiOverride > 0, "BidiOverride",
"ZeroWidthObfuscation")
| extend AccountName = iff(isempty(UserId), "unknown-agent", UserId)
| project
TimeGenerated, Signal, AccountName, ConvId, ChannelId,
TagChars, ZeroWidth, BidiOverride,
Prompt = substring(Prompt, 0, 1024), SessionId, ClientIP, AppVersion
| order by TimeGenerated descExplanation
This query is designed to detect potentially malicious messages sent to a system called Copilot Studio. It specifically looks for hidden or invisible characters in user messages that could indicate an ASCII smuggling or hidden-instruction attack. These attacks use special Unicode characters to hide instructions that users cannot see, potentially bypassing security measures.
Here's a simple breakdown of what the query does:
-
Data Source: It analyzes incoming messages (events) received by the bot, specifically looking at the text content of these messages.
-
Character Detection: The query checks for three types of suspicious characters:
- Unicode Tag Characters: Characters used to encode hidden ASCII instructions.
- Zero-Width Characters: Characters that don't render visibly but can be used to hide information.
- Bidirectional Override Characters: Characters that can change the text direction, potentially hiding instructions.
-
Alert Conditions: An alert is raised if:
- There are any Unicode Tag Characters.
- There are three or more Zero-Width Characters.
- There are any Bidirectional Override Characters.
-
Signal Identification: The type of suspicious activity is identified and labeled as either "UnicodeTagSmuggling," "BidiOverride," or "ZeroWidthObfuscation."
-
Incident Creation: If any suspicious activity is detected, an incident is created with details about the message, including the time it was generated, the type of signal detected, the account name, and other relevant information.
-
Grouping and Management: Incidents are grouped by account to manage them effectively, and the system is set to create a single alert for each incident.
Overall, this query helps in identifying and responding to potential security threats by detecting hidden instructions in user messages that could be used for malicious purposes.
Details

David Alonso
Released: June 8, 2026
Tables
Keywords
Operators
Severity
MediumTactics
Frequency: PT1H
Period: PT1H