·6m read time·1,076 words·
$ share

The friction was the feature: Microsoft just handed an agent your inbox

At Build 2026 Microsoft made Windows the agent platform: OpenClaw in the OS, and Work IQ giving agents your email and calendar, on by default, GA June 16. An agent that reads your inbox and acts on your files is the dream payload for prompt injection. The friction everyone wants gone was a safety feature.

securityAI

Last month an LLM agent broke into a database on its own, four pivots, under an hour, nobody at the keyboard. That was an attacker's agent.

This month, at Build 2026, Microsoft announced it is putting an agent on your side of the wall instead. Native in the operating system. With access to your email.

Hold those two facts next to each other for a second.

What they actually shipped

Microsoft used Build to turn Windows into an agent platform, not a place where agents visit, the place where they live.

The headline pieces:

  • OpenClaw runs natively in Windows. Peter Steinberger's open agent framework, the thing that controls apps, browses the web, and manages files autonomously, now runs as a first-class citizen on the OS with a companion app to set up your own.
  • Intelligent Terminal. Your terminal gets an agent pane. A failed command surfaces context and suggested fixes from your connected agent, right there.
  • Work IQ. This is the one. A context layer that gives agents access to your Microsoft 365 data, explicitly including "emails and meetings." Generally available 16 June.
  • Unmetered. The whole thing is pitched as removing the cost barrier to experimentation. Frictionless. On by default.

Read that list as a developer and it sounds great. Read it as an attacker and it reads like a wish list.

Credit where it's due

Microsoft did not ship this naked. The containment story is real, and better than most.

Agents run inside Microsoft Execution Containers, a policy-driven sandbox with process isolation, session isolation that walls the agent off from your clipboard and input devices, and a micro-VM tier on the roadmap for high-risk work. Agents get their own identities through Entra, so every action is attributed to the agent and you can tell human from machine in the logs. Defender claims real-time protection against prompt injection.

That is a serious amount of engineering, and it is more than the vibe-coding platforms leaking credentials by the thousand ever bothered with. I am not pretending it is nothing.

But look at what all of it actually controls.

Isolation answers the wrong question

Every one of those controls answers the same question: where does the agent run, and what is it allowed to touch?

None of them answers the question that matters with an agent that reads your email: who is it taking orders from?

This is the whole game with indirect prompt injection. The agent is trusted. It runs with your permissions. And then it reads a document, a web page, a calendar invite, an email, and that content contains instructions. The agent cannot tell the difference between "data my user wants me to process" and "commands an attacker hid in the data." To the model, it is all just text in the context window.

An agent that reads your inbox and can act on your filesystem is the textbook target. The attacker does not need your password. They do not need a CVE. They need to send you an email that your helpful agent will dutifully read, with a few lines buried in it that the agent treats as a job.

Microsoft's own security blog mentions prompt injection exactly once, as something Defender handles. It spends paragraphs on isolation, data loss prevention, and agent inventory. It does not address the case where trusted agent meets untrusted content and gets steered by it. That is not a footnote. That is the front door.

It is the confused deputy problem, decades old, wearing a new hat. The agent has all your authority. The attacker has the agent's ear. Sandboxing the deputy does not help when the deputy is the one you told to read the mail.

Frictionless was the safety feature

Here is the part that should bother you most.

Everything Microsoft is proud of removing, the metering, the prompts, the manual confirmation, the cost ceiling that made you think twice, was doing security work whether anyone called it that or not.

Friction is a brake. Every "are you sure?" is a checkpoint where a human might notice something is off. Every per-token cost is a reason the agent does not just churn through your entire inbox on a whim. "Unmetered and on by default" means the brakes are gone and the engine starts itself.

And "on by default," across a Windows install base, means the blast radius is no longer one curious developer's machine. It is every desktop in your organisation. The trust boundary just moved from "is this binary allowed to execute" to "can this agent be talked into something by a message in someone's inbox," and almost nobody deploying this on 16 June has renegotiated that boundary on purpose.

What to actually do

You are probably getting this whether you asked for it or not. So treat it like what it is: a new privileged identity on every machine.

  • Scope agent identities like service accounts. Entra gives every agent its own identity. Use it. Least privilege, narrow scopes, no standing access to anything an agent does not strictly need. An agent is not a person and should not inherit a person's blanket permissions.
  • Never let one agent both read untrusted content and hold write or exec on anything that matters. That combination is the vulnerability. Read-only agents for inbox and web. Acting agents on a tight, audited leash. Keep them apart.
  • Audit the Work IQ rollout before the 16th, not after. Decide which agents get inbox and calendar access, for whom, on purpose. The default is not a decision, it is the absence of one.
  • Log agent actions as their own class. Entra lets you tell human from agent. Pipe that into your monitoring and alert on agent behaviour the way the Sysdig responders caught machine-shaped activity: speed, fan-out, actions no human would take.
  • Assume any content an agent reads is attacker-controlled. Email, web, shared docs, invites. If the agent can be reached by something an outsider can send, treat that channel as hostile by default.

Two stories landed in the same window. In one, nobody was driving the attacker. In the other, nobody is driving the thing now sitting on your own desktop. Both run on trust we handed over without quite deciding to.

The friction we are all so glad to be rid of was the part where we stopped to think. Microsoft just took it out and called it progress.

// related

Nobody was driving: the first breach run by an agent, not a person

Sysdig caught an LLM agent driving a full intrusion, CVE to exfiltrated database, four pivots, under an hour, with no human typing a single command. Our defences assume someone is on the other end. That assumption just expired.

They just asked the bot nicely: your support agent is the attack surface

Pro-Iran hackers seized the Obama White House and US Space Force Instagram accounts by talking Meta's AI support bot into resetting passwords. No exploit, no CVE. Just a conversation with a system that cannot be suspicious.

ThePrimeagen was right

He warned that AI tools atrophy your critical judgment. Then his followers ran a poisoned command from a tweet without reading it. He was right.