Billing Can Be Bypassed Using a Combo of Subagents with an Agent Definition

Microsoft Copilot’s recent billing bypass illustrates how flexible agent architectures can be weaponized. Researchers demonstrated that a conversation started with a free model—GPT‑5 Mini—can create a subagent whose definition points to an expensive model such as Opus 4.5. Because the platform only tallies the cost of the initial request, the premium model runs unchecked, delivering full‑fledged responses while the user’s account remains untouched. The exploit also leverages tool‑calling loops, allowing a single prompt to spawn a cascade of premium subagents that operate for hours without additional charges.

For enterprise customers and Microsoft alike, the flaw threatens both revenue and trust. Copilot’s pricing model relies on accurate metering of premium token usage; a loophole that lets users bypass fees undermines the economic rationale for premium tiers and could incentivize large‑scale abuse. Moreover, the issue exposes a broader architectural weakness: reliance on client‑side metadata—such as message types and agent configurations—to enforce entitlement. When the backend trusts these fields, malicious actors can craft payloads that appear legitimate while secretly draining costly resources.

Mitigating the problem requires moving entitlement enforcement to the server. Every inference, whether triggered directly or via a subagent, should be billed based on the resolved model at dispatch time. Treating tool calls like agent/runSubagent as first‑class billable operations, imposing server‑side caps on per‑session requests, and validating agent definitions against entitlement policies will close the loophole. Implementing automated regression tests that verify premium usage increments for subagent calls will further safeguard against future regressions, ensuring Copilot’s pricing remains fair and its platform secure.