Microsoft Copilot flaws turned prompt injection into zero-click data theft
Researchers reported that vulnerabilities in Microsoft 365 Copilot and Consumer Copilot allowed attackers to turn prompt injection into data exfiltration, memory poisoning, and persistent compromise. Microsoft assigned CVE-2026-24299 to the main issue set and rolled out fixes across late 2025 and early 2026, while a related Microsoft Excel flaw, CVE-2026-26144, showed how a conventional application bug could be chained with Copilot Agent mode to silently extract spreadsheet data. In the Copilot attacks, malicious content abused HTML preview rendering to leak sensitive information through external requests, first with CSS background images and later with @font-face, and researchers said users could be coerced into triggering the preview during normal interaction, creating a near zero-click exfiltration path.
The research also showed that Copilot’s memory features could be poisoned to add or delete stored facts and implant persistent instructions that altered future sessions, enabling a backdoor dubbed SpAIware that continued leaking secrets over time. Similar issues were described in consumer Copilot, including durable-memory manipulation and browser-navigation exfiltration through Edge-integrated tooling. The findings underscore a broader security shift: AI assistants can collapse trust boundaries inside host applications, raising the impact of older flaws and forcing defenders to reassess assistant permissions, restrict outbound network access from AI-enabled apps, and separately monitor AI-initiated network activity.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Research details zero-click Copilot exfiltration and persistent 'SpAIware' backdoor
A public writeup described how inline HTML preview rendering, CSS or @font-face requests, and memory poisoning could be combined to exfiltrate data and persist malicious instructions in Copilot. The researcher demonstrated a persistent compromise dubbed 'SpAIware' that could silently leak secrets from future Copilot sessions.
Analysis warns AI agents turn traditional bugs into higher-impact flaws
A Dark Reading analysis argued that AI assistants embedded in applications collapse trust boundaries and can magnify the impact of ordinary software vulnerabilities. Using Excel CVE-2026-26144 as an example, it warned that AI-enabled applications require reprioritized vulnerability assessment and stronger controls.
Microsoft patches Excel XSS flaw CVE-2026-26144
Microsoft patched CVE-2026-26144, an Excel cross-site scripting flaw, on March 10, 2026. Later analysis argued the bug's impact was amplified when chained with Copilot Agent mode to enable silent spreadsheet data exfiltration.
Microsoft completes additional Copilot fixes for CVE-2026-24299
Microsoft released another major round of fixes for the Copilot vulnerability chain on March 5, 2026. The patched behaviors related to prompt-injection abuse, HTML preview exfiltration techniques, and other issues tied to CVE-2026-24299.
Microsoft ships initial Copilot fixes
Microsoft implemented early fixes for parts of the Copilot issue chain in December 2025, beginning remediation of the reported behaviors affecting Copilot environments. These fixes addressed elements of the exploitation paths described by the researcher.
Researcher reports Microsoft 365/Consumer Copilot issues to Microsoft
A researcher disclosed a set of prompt-injection-driven Microsoft Copilot vulnerabilities to Microsoft in 2025, covering data exfiltration, memory poisoning, and persistent compromise scenarios across Microsoft 365 Copilot and Consumer Copilot. Microsoft later tracked the main issue set as CVE-2026-24299.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft Copilot Security and Deployment Controversies
New reporting highlighted a **prompt-injection phishing risk** in Microsoft Copilot after Permiso researchers found that attacker-controlled text embedded in emails could manipulate Copilot-generated summaries through cross-prompt injection attacks. The issue could cause Copilot to present deceptive security alerts or malicious instructions inside a trusted Microsoft 365 interface, increasing the likelihood that users will believe and act on attacker content. Separate coverage also noted broader security and privacy concerns around Microsoft’s AI ecosystem, including criticism of Windows Recall for capturing and storing snapshots of user activity that Copilot can analyze, even after Microsoft added stronger protections following earlier backlash. Microsoft also faced continued scrutiny over how aggressively it is pushing Copilot into user environments. The company temporarily halted plans to **automatically install the Microsoft 365 Copilot app** on eligible Windows systems outside the EEA, though existing installations remain in place and administrators can still deploy it manually. Public criticism of Copilot’s quality and Microsoft’s AI strategy also spilled into the company’s Discord community, where moderation actions against users mocking “Microslop” drew further attention to dissatisfaction with rushed AI integration, privacy concerns, and the perception that Microsoft is forcing AI features into products despite unresolved trust and security issues.
Mar 21, 2026
Novel Attacks Exploit Microsoft Copilot and Copilot Studio for Data Theft and OAuth Token Compromise
Security researchers have identified two distinct attack techniques targeting Microsoft's AI-powered platforms. The first, dubbed **CoPhish**, leverages Microsoft Copilot Studio agents to deliver fraudulent OAuth consent requests through legitimate Microsoft domains, enabling attackers to steal OAuth tokens. By customizing Copilot Studio chatbots and exploiting the platform's "demo website" feature, attackers can trick users into authenticating with malicious applications, potentially granting unauthorized access to sensitive resources. Microsoft has acknowledged the issue and is working on product updates to mitigate the risk, emphasizing the need for organizations to strengthen governance and consent processes. Separately, a vulnerability in Microsoft 365 Copilot was discovered that allowed attackers to use indirect prompt injection via Mermaid diagrams to exfiltrate sensitive tenant data, such as emails. By embedding malicious instructions in seemingly benign prompts, attackers could manipulate Copilot to retrieve and encode confidential information. Although Microsoft has since patched this flaw, the incident highlights the emerging risks associated with integrating AI assistants and third-party tools, as well as the challenges in securing complex, automated workflows within enterprise environments.
Mar 21, 2026
Microsoft Copilot Security Research: Prompt-Injection Phishing Risk and Copilot Studio Audit-Logging Gaps
Security researchers reported two distinct Microsoft Copilot-related risks: (1) **cross prompt injection** against *Microsoft Copilot* email summarization surfaces that can cause attacker-supplied text in an email to be treated like instructions, shaping the summary into a convincing in-product “security alert” and creating a phishing path that does not rely on attachments or macros; and (2) **audit-logging gaps in Microsoft Copilot Studio** where certain administrative actions for Copilot Studio agents (e.g., around sharing, authentication, logging, and publication) were not consistently recorded in Microsoft 365’s Unified Audit Log, potentially reducing defenders’ ability to detect malicious or unauthorized agent changes. Permiso described how Copilot’s behavior varies across Outlook’s inline *Summarize* experience, the Outlook Copilot pane/add-in, and Teams-based summarization, with the core risk being **trust transfer**—users may treat Copilot output as system-generated even when it is attacker-influenced—and warned that retrieval across Microsoft 365 (Teams/OneDrive/SharePoint) could amplify impact if chained. Datadog Security Labs stated it reported Copilot Studio logging issues to **MSRC**, that Microsoft remediated logging for the affected events by **October 5, 2025**, and that Datadog later observed a **regression** where some events again failed to log consistently, which it also reported to Microsoft.
Mar 21, 2026