Microsoft 365 Copilot Vulnerability Exposes Users to Cross-Prompt Injection Attacks
Researchers at Permiso Security uncovered a critical cross-prompt injection vulnerability (CVE-2026-26133) in Microsoft 365 Copilot’s email summarization feature, allowing attackers to manipulate AI-generated outputs for phishing and data exfiltration. The flaw, disclosed in January 2026, was patched by Microsoft between February and March 2026.
The vulnerability exploits cross-prompt injection attacks (XPIA), where malicious instructions embedded in an email are treated as executable commands by Copilot’s large language model (LLM). Attackers craft emails containing hidden prompts that steer Copilot’s summaries to include attacker-controlled content such as fake security alerts without requiring traditional exploit methods like macros or attachments. The attack leverages trust transfer, where users inherently trust AI-generated summaries, bypassing skepticism typically applied to raw email content.
Permiso’s testing revealed varying susceptibility across Copilot’s interfaces:
- Outlook Summarize Button: Occasionally leaked injected commands when emails contained natural padding.
- Outlook Copilot Pane: Generally cautious but still vulnerable under specific conditions.
- Teams Copilot: Consistently produced attacker-shaped summaries, embedding malicious links or exfiltrating internal data (e.g., Teams messages, SharePoint files) via seemingly legitimate prompts.
The flaw mirrors CVE-2025-32711 (EchoLeak), where hidden email prompts triggered Copilot to exfiltrate data via crafted image URLs, underscoring XPIA as a repeatable threat vector. Microsoft’s patch, fully deployed by March 11, 2026, mitigates the issue, but organizations were advised to restrict Copilot’s data access, enforce Purview sensitivity labels, and monitor activity logs for unusual retrieval patterns. The discovery highlights the security risks of integrating AI assistants into trusted workflows without robust boundary controls.
Source: https://cybersecuritynews.com/microsoft-copilot-summarization-vulnerability/
Microsoft Security cybersecurity rating report: https://www.rankiteo.com/company/microsoft-security
"id": "MIC1773325442",
"linkid": "microsoft-security",
"type": "Vulnerability",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Microsoft 365 Copilot users',
'industry': 'Software & Cloud Services',
'location': 'Global',
'name': 'Microsoft',
'size': 'Enterprise',
'type': 'Technology Corporation'}],
'attack_vector': 'Malicious instructions embedded in emails',
'data_breach': {'data_exfiltration': True,
'sensitivity_of_data': 'Potentially sensitive business data',
'type_of_data_compromised': ['Internal communications',
'SharePoint files',
'Teams messages']},
'date_detected': '2026-01',
'date_publicly_disclosed': '2026-01',
'date_resolved': '2026-03-11',
'description': 'Researchers at Permiso Security uncovered a critical '
'cross-prompt injection vulnerability (CVE-2026-26133) in '
'Microsoft 365 Copilot’s email summarization feature, allowing '
'attackers to manipulate AI-generated outputs for phishing and '
'data exfiltration. The flaw exploits cross-prompt injection '
'attacks (XPIA), where malicious instructions embedded in an '
'email are treated as executable commands by Copilot’s large '
'language model (LLM). Attackers craft emails containing '
'hidden prompts that steer Copilot’s summaries to include '
'attacker-controlled content such as fake security alerts, '
'leveraging trust transfer to bypass user skepticism.',
'impact': {'brand_reputation_impact': 'Risk of eroded user trust in '
'AI-generated outputs',
'data_compromised': 'Internal data (e.g., Teams messages, '
'SharePoint files)',
'operational_impact': 'Potential unauthorized data access and '
'exfiltration via AI-generated summaries',
'systems_affected': ['Microsoft 365 Copilot', 'Outlook', 'Teams']},
'investigation_status': 'Resolved',
'lessons_learned': 'Highlights security risks of integrating AI assistants '
'into trusted workflows without robust boundary controls. '
'Demonstrates the repeatability of cross-prompt injection '
'attacks (XPIA) as a threat vector.',
'motivation': ['Phishing', 'Data exfiltration'],
'post_incident_analysis': {'corrective_actions': ['Patch deployment',
'Data access restrictions',
'Sensitivity label '
'enforcement'],
'root_causes': 'Lack of robust boundary controls '
'in AI assistant integration, trust '
'transfer in AI-generated outputs'},
'recommendations': ['Restrict Copilot’s data access',
'Enforce Purview sensitivity labels',
'Monitor activity logs for unusual retrieval patterns'],
'references': [{'source': 'Permiso Security'},
{'source': 'CVE-2026-26133'},
{'source': 'CVE-2025-32711 (EchoLeak)'}],
'response': {'communication_strategy': 'Advisories to organizations to '
'monitor activity logs for unusual '
'retrieval patterns',
'containment_measures': 'Microsoft deployed patches between '
'February and March 2026',
'enhanced_monitoring': 'Monitoring for unusual retrieval '
'patterns in activity logs',
'remediation_measures': ['Patch for CVE-2026-26133',
'Restrict Copilot’s data access',
'Enforce Purview sensitivity labels'],
'third_party_assistance': 'Permiso Security (vulnerability '
'discovery)'},
'stakeholder_advisories': 'Organizations advised to restrict Copilot’s data '
'access and monitor logs',
'title': 'Microsoft 365 Copilot Vulnerability Exposes Users to Cross-Prompt '
'Injection Attacks',
'type': 'Cross-Prompt Injection Attack (XPIA)',
'vulnerability_exploited': 'CVE-2026-26133'}