> Only if it has access to exfiltrate data.

Or if it has access to a tool call which allows it to exfiltrate data.

In the example identified, the AI agent never accesses the exfiltration URL.

The agent sends an innocuous-looking message to a user via a teams message.

MSTeams previews the link, accessing the exfiltration URL.