Everyone’s hunting “AI attacks.” Meanwhile the ugly money is still in trusted pages, stolen sessions, and users politely pasting the command for them.

Three intrusion sets already excel at getting users to approve tools and auth flows. This assessment is probabilistic: it highlights who is best positioned to adapt that tradecraft to MCP-style environments next..

🤖🔒 AI agents = privileged integrations you can’t see. After GTG-1002 + vendors pushing agent access standards, the next shoe drops: do regulators/hyperscalers force default-on signed connectors + audit logs (aka “regulated C2”)?

Your new “AI helper” is basically shadow IT with hands 🤖🧨

Your “AI coworker” isn’t the breach. The OAuth trust event is. 🔥🕵️

Device-code phishing + consent traps = “approve to exfil.” (And yes, AI agents are already being used as the wrapper.)

Deepfake BEC = the same old fraud… with a way better script. 🎭💸

If payroll/AP changes can happen on “sounds right,” you’re funding someone’s Q1 bonus.

Phishing got a low-code upgrade. 🤖🔑
Copilot Studio links can look “safe” because they’re hosted where users expect… then the OAuth consent click does the rest. 🧯
We’re forecasting the first publicly confirmed Copilot Studio → OAuth → M365 data breach by 12/31/26 (56%).