Prompt Injection Vulnerabilities in Microsoft Copilot Studio AI Agents
Security researchers demonstrated that Microsoft Copilot Studio's no-code AI agent platform is susceptible to prompt injection attacks, allowing unauthorized access to sensitive business data. By leveraging the platform's ease of use, even non-technical employees can create AI agents that integrate with critical business systems such as SharePoint, Outlook, and Teams. In controlled tests, researchers were able to extract customer credit card information and manipulate booking systems to create fraudulent transactions, such as booking a $0 vacation, by issuing carefully crafted prompts to the AI agents.
The core risk arises from the democratization of AI agent creation, which, while boosting productivity, also increases the attack surface for organizations. The lack of technical safeguards and the inherent vulnerabilities of large language models (LLMs) make it easy for attackers or even well-meaning users to bypass intended security controls. Experts warn that these agentic tools, if not properly secured, can lead to significant data exposure and workflow hijacking, underscoring the urgent need for robust security practices and oversight when deploying AI-powered automation in business environments.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Tenable publishes guidance for securing no-code AI agents
Alongside the findings, Tenable recommended that organizations inventory agent-enabled tools, restrict data access and write permissions, and monitor agent activity to reduce abuse and shadow AI risk.
Research reveals data leakage and unauthorized booking changes
The researchers demonstrated that compromised agents could retrieve multiple customer records including credit card information and alter booking prices to $0, highlighting risks of financial loss and data exposure from agentic AI workflows.
Tenable demonstrates prompt injection risks in Microsoft Copilot Studio
Tenable AI Research showed that Microsoft Copilot Studio's no-code agents could be manipulated through simple prompt injection to bypass instructions, expose sensitive customer data, and perform unauthorized actions in a mock travel-agent scenario.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Security Risks in AI Coding Assistants: Prompt Injection and Dependency Hijacking
Security researchers have identified significant risks in AI-powered coding assistants, including Microsoft's Copilot and Claude Code, stemming from both prompt injection vulnerabilities and the potential for dependency hijacking via third-party plugins. In the case of Copilot, a security engineer disclosed several issues such as prompt injection leading to system prompt leaks, file upload policy bypasses using base64 encoding, and command execution within Copilot's isolated environment. Microsoft, however, has dismissed these findings as limitations of AI rather than true security vulnerabilities, sparking debate within the security community about the definition and handling of such risks. Separately, analysis of Claude Code highlights the dangers of plugin marketplaces, where third-party 'skills' can be enabled to automate tasks like dependency management. A technical review demonstrated how a seemingly benign plugin could redirect dependency installations to attacker-controlled sources, resulting in the silent introduction of trojanized libraries into development environments. These risks are compounded by the persistent nature of enabled plugins, which can continue to influence agent behavior and potentially compromise projects over time, underscoring the need for greater scrutiny and security controls in AI development tools.
Mar 21, 2026
Prompt Injection Attacks and Security Challenges in AI Systems
Prompt injection has emerged as a critical security concern in the deployment of large language models (LLMs) and AI agents, with attackers exploiting the way these systems interpret and execute instructions. Security researchers have drawn parallels between prompt injection and earlier vulnerabilities like SQL injection, highlighting its potential to undermine the intended behavior of AI models. Prompt injection involves manipulating the input prompts to override or bypass the system-level instructions set by developers, leading to unauthorized actions or data leakage. The attack surface is broad, as LLMs are increasingly integrated into applications and workflows, making them attractive targets for adversaries. Multiple organizations, including OpenAI, Microsoft, and Anthropic, have initiated efforts to address prompt injection, but the problem remains unsolved due to the complexity and adaptability of AI models. Real-world demonstrations have shown that prompt injection can be used to break out of agentic applications, bypass browser security rules, and even persistently compromise AI systems through mechanisms like memory manipulation. Security conferences such as BlackHat USA 2024 have featured research on exploiting AI-powered tools like Microsoft 365 Copilot, where attackers can escalate privileges or exfiltrate data by crafting malicious prompts or leveraging markdown image vectors. Researchers have also identified that AI agents can be tricked into ignoring browser security policies, such as CORS, leading to potential cross-origin data leaks. Defensive measures, such as intentionally limiting AI capabilities or implementing stricter input filtering, have been adopted by some vendors, but these often come at the cost of reduced functionality. The security community is actively developing standards, such as the OWASP Agent Observability Standard, to improve monitoring and detection of prompt injection attempts. Despite these efforts, adversaries continue to find novel ways to exploit prompt injection, including dynamic manipulation of tool descriptions and bypassing image filtering mechanisms. The rapid evolution of AI technologies and the proliferation of agentic applications have made it challenging to keep pace with emerging threats. Security researchers emphasize the need for ongoing vigilance, robust testing, and collaboration across the industry to mitigate the risks associated with prompt injection. The use of AI in sensitive environments, such as enterprise productivity suites and web browsers, amplifies the potential impact of successful attacks. As AI adoption accelerates, organizations must prioritize understanding and defending against prompt injection to safeguard their systems and data. The ongoing research and public disclosures serve as a call to action for both developers and defenders to address this evolving threat landscape.
Mar 21, 2026
Microsoft Copilot flaws turned prompt injection into zero-click data theft
Researchers reported that vulnerabilities in Microsoft 365 Copilot and Consumer Copilot allowed attackers to turn prompt injection into data exfiltration, memory poisoning, and persistent compromise. Microsoft assigned `CVE-2026-24299` to the main issue set and rolled out fixes across late 2025 and early 2026, while a related Microsoft Excel flaw, `CVE-2026-26144`, showed how a conventional application bug could be chained with Copilot Agent mode to silently extract spreadsheet data. In the Copilot attacks, malicious content abused HTML preview rendering to leak sensitive information through external requests, first with CSS background images and later with `@font-face`, and researchers said users could be coerced into triggering the preview during normal interaction, creating a near zero-click exfiltration path. The research also showed that Copilot’s memory features could be poisoned to add or delete stored facts and implant persistent instructions that altered future sessions, enabling a backdoor dubbed **SpAIware** that continued leaking secrets over time. Similar issues were described in consumer Copilot, including durable-memory manipulation and browser-navigation exfiltration through Edge-integrated tooling. The findings underscore a broader security shift: AI assistants can collapse trust boundaries inside host applications, raising the impact of older flaws and forcing defenders to reassess assistant permissions, restrict outbound network access from AI-enabled apps, and separately monitor AI-initiated network activity.
May 4, 2026