Microsoft Edge Debuts Actions Preview: Safe Agentic Browsing Takes Center Stage

Microsoft Edge has introduced a significant experimental feature called Actions in Edge—a new agentic browser capability—as detailed October 23, 2025 by Andrew Ritz, Vice President of Microsoft Edge Security, on the official Windows blog. This opt-in preview enables Computer-Using Agent (CUA) models to perform complex web tasks automatically, with a sharp focus on keeping users safe from new attack vectors that arise from these advanced AI-driven tools.​

Actions Preview: AI Meets Browsing Automation

Microsoft is exploring uncharted territory with its agentic browser features in Edge, giving users a taste of automation powered by modern AI models. Actions in Edge, released as a limited public preview, lets Copilot handle multi-step tasks—from routine form fills to orchestrating bookings and email management with a single command. This transformation marks a major step towards browsers that actively help users, not just display content.​

Security Concerns: Tackling Prompt Injection Attacks

A major worry with powerful agentic browsers is the risk of prompt injection—a technique where attackers manipulate AI assistants to perform unauthorized actions. Microsoft’s blog highlights proof-of-concept exploits already demonstrated in agentic environments, underscoring genuine potential for harm if safeguards are bypassed. As a result, Edge’s Actions preview has implemented defense-in-depth strategies: treating all untrusted input as unsafe, detecting and blocking unexpected AI behavior, and limiting access to sensitive data and browsing actions.​

Layers of Mitigation and User Control

To shield users, Edge deploys multiple protections:

1. Site Restrictions: Actions can only interact with curated, approved sites by default (Balanced Mode). Strict Mode gives users granular control over every site Copilot interacts with.

2. SmartScreen Protection: Microsoft’s SmartScreen system blocks scams and malware in real time, and prevents Copilot from bypassing unsafe pages.

3. Azure Prompt Shields & Safety Stack: Advanced models analyze data for jailbreaking attempts and malicious payloads, and Copilot is rigorously trained to flag and refuse harmful content.

4. Spotlighting & Task Tracker (In Testing): Cutting-edge research like Spotlighting and Paverd’s Task Tracker separates user intent from online data, minimizing the risk of hidden instructions or AI drift from user tasks.​

   

Practical Restrictions for Safe Browsing

Edge’s agentic features intentionally disable functions with high risk:

1. Blocking access to form fill data and passwords

2. No interaction with browser settings, external apps, or downloads

3. Context menu and audio muted by default

4. Strict blocking of site permission changes (i.e., for camera or sensitive access)

These boundaries ensure that even if an attack bypasses upstream measures, user safety is preserved at the browser level.​

Collaboration and User Feedback

Recognizing the complexity and novelty of agentic browsing, Microsoft actively invites researchers and security professionals to provide feedback and test scenarios through established channels, such as Discord. Rapid blocklist updates and evolving detection models will adapt to new threats as they emerge, keeping protection current and responsive.​

The experimental Actions feature in Edge points to a future where AI not only automates web workflows, but does so with safety and transparency at the core. Users are urged to review risks when enabling the preview and stay engaged with Microsoft’s ongoing transparency efforts.