Security researchers reported two distinct Microsoft Copilot-related risks: (1) cross prompt injection against Microsoft Copilot email summarization surfaces that can cause attacker-supplied text in an email to be treated like instructions, shaping the summary into a convincing in-product “security alert” and creating a phishing path that does not rely on attachments or macros; and (2) audit-logging gaps in Microsoft Copilot Studio where certain administrative actions for Copilot Studio agents (e.g., around sharing, authentication, logging, and publication) were not consistently recorded in Microsoft 365’s Unified Audit Log, potentially reducing defenders’ ability to detect malicious or unauthorized agent changes.
Permiso described how Copilot’s behavior varies across Outlook’s inline Summarize experience, the Outlook Copilot pane/add-in, and Teams-based summarization, with the core risk being trust transfer—users may treat Copilot output as system-generated even when it is attacker-influenced—and warned that retrieval across Microsoft 365 (Teams/OneDrive/SharePoint) could amplify impact if chained. Datadog Security Labs stated it reported Copilot Studio logging issues to MSRC, that Microsoft remediated logging for the affected events by October 5, 2025, and that Datadog later observed a regression where some events again failed to log consistently, which it also reported to Microsoft.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
5 events from the most recent confirmed update back to the earliest known activity.
CVE-2026-26133 was published and credited to Andi Ahmeti of Permiso Security, documenting the prompt injection issue in Microsoft Copilot email summarization after coordinated disclosure to Microsoft.
Microsoft completed rollout of mitigations for a cross prompt injection attack affecting Copilot email summarization, which could make Copilot display attacker-shaped phishing content inside trusted summary interfaces.
After the initial fix, Datadog later found that two events, BotAuthUpdate and BotAppInsightsUpdate, were again not logging consistently, while Microsoft's engineering team said it could not reproduce the anomalous behavior.
By early October 2025, Microsoft had implemented a remediation for the Copilot Studio logging problem, and Datadog initially confirmed that all four affected administrative events were being logged.
Datadog Security Labs reported to the Microsoft Security Response Center that Microsoft Copilot Studio was failing to generate certain documented administrative audit events in Microsoft 365's Unified Audit Log, creating visibility gaps for sensitive agent changes.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.