KQL Search

Query Details

Copilot Studio Ascii Smuggling Injection

Query

id: a1b2c3d4-1014-4a11-9c01-0123456789b4
name: Copilot Studio - ASCII smuggling / invisible-Unicode injection
description: |
  Raises an incident when an inbound Copilot Studio user message contains
  invisible / non-rendering Unicode that is the hallmark of an ASCII
  smuggling or hidden-instruction attack: characters from the Unicode Tags
  block (U+E0000-U+E007F, used to encode hidden ASCII instructions),
  zero-width characters (U+200B-U+200D, U+FEFF, U+2060), or bidirectional
  overrides (U+202A-U+202E, U+2066-U+2069). These let an attacker pass
  instructions the user cannot see, to bypass guardrails or smuggle
  indirect prompt injection through copied content. Mirrors the Defender
  for Cloud "ASCII Smuggling prompt injection detected" alert.

  Reads inbound turns from AppEvents (Name == "BotMessageReceived") with
  the prompt text in Properties.text (requires "Log sensitive properties"
  on the agent's Application Insights settings).
severity: Medium
requiredDataConnectors:
- connectorId: ApplicationInsights
  dataTypes:
  - AppEvents
queryFrequency: PT1H
queryPeriod: PT1H
triggerOperator: gt
triggerThreshold: 0
enabled: true
tactics:
- DefenseEvasion
- InitialAccess
relevantTechniques:
- T1027
- T1566
query: |
  AppEvents
  | where Name == "BotMessageReceived"
  | extend
      ConvId    = tostring(Properties["conversationId"]),
      ChannelId = tostring(Properties["channelId"]),
      Prompt    = tostring(Properties["text"])
  | where isnotempty(Prompt)
  | extend
      TagChars     = array_length(extract_all(@"([\x{E0000}-\x{E007F}])", Prompt)),
      ZeroWidth    = array_length(extract_all(@"([\x{200B}-\x{200D}\x{FEFF}\x{2060}])", Prompt)),
      BidiOverride = array_length(extract_all(@"([\x{202A}-\x{202E}\x{2066}-\x{2069}])", Prompt))
  | where TagChars > 0 or ZeroWidth >= 3 or BidiOverride > 0
  | extend Signal = case(
      TagChars > 0,     "UnicodeTagSmuggling",
      BidiOverride > 0, "BidiOverride",
      "ZeroWidthObfuscation")
  | extend AccountName = iff(isempty(UserId), "unknown-agent", UserId)
  | project
      TimeGenerated, Signal, AccountName, ConvId, ChannelId,
      TagChars, ZeroWidth, BidiOverride,
      Prompt = substring(Prompt, 0, 1024), SessionId, ClientIP, AppVersion
  | order by TimeGenerated desc
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountName
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: ClientIP
eventGroupingSettings:
  aggregationKind: SingleAlert
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT6H
    matchingMethod: Selected
    groupByEntities:
    - Account
    groupByAlertDetails: []
    groupByCustomDetails: []
version: 1.0.0
kind: Scheduled
tags:
- Sentinel-As-Code
- Custom
- CopilotStudio
- AI
- AsciiSmuggling
- IndirectInjection

Explanation

This query is designed to detect potentially malicious messages sent to a system called Copilot Studio. It specifically looks for hidden or invisible characters in user messages that could indicate an ASCII smuggling or hidden-instruction attack. These attacks use special Unicode characters to hide instructions that users cannot see, potentially bypassing security measures.

Here's a simple breakdown of what the query does:

  1. Data Source: It analyzes incoming messages (events) received by the bot, specifically looking at the text content of these messages.

  2. Character Detection: The query checks for three types of suspicious characters:

    • Unicode Tag Characters: Characters used to encode hidden ASCII instructions.
    • Zero-Width Characters: Characters that don't render visibly but can be used to hide information.
    • Bidirectional Override Characters: Characters that can change the text direction, potentially hiding instructions.

  3. Alert Conditions: An alert is raised if:

    • There are any Unicode Tag Characters.
    • There are three or more Zero-Width Characters.
    • There are any Bidirectional Override Characters.

  4. Signal Identification: The type of suspicious activity is identified and labeled as either "UnicodeTagSmuggling," "BidiOverride," or "ZeroWidthObfuscation."

  5. Incident Creation: If any suspicious activity is detected, an incident is created with details about the message, including the time it was generated, the type of signal detected, the account name, and other relevant information.

  6. Grouping and Management: Incidents are grouped by account to manage them effectively, and the system is set to create a single alert for each incident.

Overall, this query helps in identifying and responding to potential security threats by detecting hidden instructions in user messages that could be used for malicious purposes.

Details

David Alonso profile picture

David Alonso

Released: June 8, 2026

Tables

AppEvents

Keywords

AppEventsDevicesUserAccountIPClientIPAppVersionSessionIdChannelIdConvIdPromptUnicodeTagSmugglingBidiOverrideZeroWidthObfuscation

Operators

AppEventswhereextendtostringisnotemptyarray_lengthextract_allcaseiffisemptyprojectsubstringorder bydesc

Actions