allowlisting breaks once the agent has messaging tools. you can deny all outbound from the agent, but if it can post to teams or slack or email, link previews will fetch whatever URL the injection puts in. messaging is usually the first tool anyone adds to an enterprise agent so you end up with strict network controls that don't actually prevent anything.
Or if it has access to a tool call which allows it to exfiltrate data.
In the example identified, the AI agent never accesses the exfiltration URL.
The agent sends an innocuous-looking message to a user via a teams message.
MSTeams previews the link, accessing the exfiltration URL.