Researchers discover multiple zero-day flaws enabling identity spoofing attacks that hijack AI agents across enterprise messaging platforms.

In its recent developer conference, Microsoft had introduced an AI-powered personal assistant built on the open-source OpenClaw framework.

Now, newly disclosed security flaws raise concerns about the underlying technology that could enable attackers to take control of AI agents operating across enterprise messaging platforms.

The AI person assistant, Scout, is positioned as an “Autopilot”-style digital coworker designed to function continuously with a persistent identity across Microsoft 365 services. According to reporting from TechCrunch and Bloomberg, it is designed to appear within corporate systems such as email and calendars as if it were a human colleague, signaling a shift toward more embedded AI agents in enterprise workflows.

On 3 June 2026, researchers disclosed multiple zero-day flaws that allow attackers to bypass trust controls by exploiting how the framework handles identity resolution across various platforms such as Microsoft Teams and Slack. The issue stems from the reliance on mutable display names, which are mapped to stable user IDs during initialization. By changing a display name to match a trusted identity prior to a service restart, an attacker can impersonate authorized users and gain control over agent interactions.

These findings add to a growing list of vulnerabilities identified in OpenClaw since early 2026. Previously disclosed issues include a one-click remote code execution flaw (CVE-2026-25253), an access control weakness enabling administrative takeover (CVE-2026-33579), and multiple sandbox escape and privilege escalation bugs. Other cybersecurity researchers had also warned that the framework lacks robust separation between untrusted inputs and privileged operations, increasing the risk of exploitation.

Microsoft’s adoption of OpenClaw reflects its rapid rise in the developer community, where it has accumulated significant traction on GitHub. However, the decision also exposes enterprise users to the framework’s expanding attack surface. While Microsoft has layered Scout with governance controls, the security maturity of the underlying open-source stack remains a critical consideration for organizations evaluating deployment.