Researchers at Permiso Security disclosed a cross-prompt injection weakness in Microsoft 365 Copilot email/Teams summarization features, tracked as CVE-2026-26133, that could let attackers embed instruction-like text inside a normal email and influence Copilot’s generated summary. The reported impact is the ability to produce attacker-authored, convincing phishing content inside Copilot’s trusted summarization UI—without attachments, macros, or traditional exploit code—by exploiting a trust-boundary failure where the model treats untrusted email content as instructions. Microsoft confirmed the issue and rolled out mitigations and a patch across affected surfaces, crediting Andi Ahmeti for the discovery.
In parallel, Microsoft published operational guidance on detecting and responding to prompt abuse in AI tools, emphasizing that prompt injection/abuse is a leading LLM application risk (aligned with OWASP guidance) and that detection is difficult without strong logging and telemetry. The guidance describes common prompt-abuse patterns (including indirect prompt injection) and provides a practical playbook for investigation and response. A separate Praetorian post provides general AI security best practices (e.g., input validation, monitoring, and human oversight) but does not add incident-specific details about CVE-2026-26133.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
6 events from the most recent confirmed update back to the earliest known activity.
Microsoft released a security blog outlining detection and response practices for prompt abuse in AI applications, including indirect prompt injection. The guidance included a scenario where hidden instructions in a URL fragment could be ingested by an AI summarizer and distort outputs without code execution.
Permiso Security disclosed technical details showing that instruction-like text embedded in normal emails could manipulate Microsoft 365 Copilot summaries into presenting convincing phishing content. The research also found Teams Copilot particularly susceptible and warned that injected prompts could steer Copilot to include internal Microsoft 365 context in attacker-controlled links.
Microsoft publicly published CVE-2026-26133 and credited researcher Andi Ahmeti for the finding. Public disclosure described the flaw as a cross-prompt injection issue affecting Copilot email and Teams summarization behavior.
Microsoft finished patching the affected Microsoft 365 Copilot surfaces for the summarization vulnerability. This marked the completion of the mitigation rollout for the issue later published as CVE-2026-26133.
Microsoft started deploying mitigations for the Copilot summarization flaw across affected surfaces. The fixes targeted prompt-injection abuse that could manipulate summaries and potentially pull internal Microsoft 365 context into attacker-controlled content.
Microsoft confirmed a cross-prompt injection vulnerability affecting Microsoft 365 Copilot email summarization, later tracked as CVE-2026-26133. The issue allowed attacker-crafted email content to influence Copilot-generated summaries and phishing-style output.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.