Query Details

Copilot Studio - ASCII smuggling / invisible-Unicode injection

Copilot Studio Ascii Smuggling Injection

Query

AppEvents
| where Name == "BotMessageReceived"
| extend
    ConvId    = tostring(Properties["conversationId"]),
    ChannelId = tostring(Properties["channelId"]),
    Prompt    = tostring(Properties["text"])
| where isnotempty(Prompt)
| extend
    TagChars     = array_length(extract_all(@"([\x{E0000}-\x{E007F}])", Prompt)),
    ZeroWidth    = array_length(extract_all(@"([\x{200B}-\x{200D}\x{FEFF}\x{2060}])", Prompt)),
    BidiOverride = array_length(extract_all(@"([\x{202A}-\x{202E}\x{2066}-\x{2069}])", Prompt))
| where TagChars > 0 or ZeroWidth >= 3 or BidiOverride > 0
| extend Signal = case(
    TagChars > 0,     "UnicodeTagSmuggling",
    BidiOverride > 0, "BidiOverride",
    "ZeroWidthObfuscation")
| extend AccountName = iff(isempty(UserId), "unknown-agent", UserId)
| project
    TimeGenerated, Signal, AccountName, ConvId, ChannelId,
    TagChars, ZeroWidth, BidiOverride,
    Prompt = substring(Prompt, 0, 1024), SessionId, ClientIP, AppVersion
| order by TimeGenerated desc

Explanation

This query is designed to detect potentially malicious messages sent to a system called Copilot Studio. It specifically looks for hidden or invisible characters in user messages that could indicate an ASCII smuggling or hidden-instruction attack. These attacks use special Unicode characters to hide instructions that users cannot see, potentially bypassing security measures.

Here's a simple breakdown of what the query does:

  1. Data Source: It analyzes incoming messages (events) received by the bot, specifically looking at the text content of these messages.

  2. Character Detection: The query checks for three types of suspicious characters:

    • Unicode Tag Characters: Characters used to encode hidden ASCII instructions.
    • Zero-Width Characters: Characters that don't render visibly but can be used to hide information.
    • Bidirectional Override Characters: Characters that can change the text direction, potentially hiding instructions.
  3. Alert Conditions: An alert is raised if:

    • There are any Unicode Tag Characters.
    • There are three or more Zero-Width Characters.
    • There are any Bidirectional Override Characters.
  4. Signal Identification: The type of suspicious activity is identified and labeled as either "UnicodeTagSmuggling," "BidiOverride," or "ZeroWidthObfuscation."

  5. Incident Creation: If any suspicious activity is detected, an incident is created with details about the message, including the time it was generated, the type of signal detected, the account name, and other relevant information.

  6. Grouping and Management: Incidents are grouped by account to manage them effectively, and the system is set to create a single alert for each incident.

Overall, this query helps in identifying and responding to potential security threats by detecting hidden instructions in user messages that could be used for malicious purposes.

Details

David Alonso profile picture

David Alonso

Released: June 8, 2026

Tables

AppEvents

Keywords

AppEventsDevicesUserAccountIPClientIPAppVersionSessionIdChannelIdConvIdPromptUnicodeTagSmugglingBidiOverrideZeroWidthObfuscation

Operators

AppEventswhereextendtostringisnotemptyarray_lengthextract_allcaseiffisemptyprojectsubstringorder bydesc

Severity

Medium

Tactics

DefenseEvasionInitialAccess

MITRE Techniques

Frequency: PT1H

Period: PT1H

Actions

GitHub