AI & TechArtificial IntelligenceBigTech CompaniesCybersecurityNewswire

Critical Copilot flaw let hackers steal 2FA codes

June 17, 2026Last Updated: June 17, 2026
2 minutes read
CANADA - 2025/10/24: In this photo illustration, the Microsoft Copilot AI logo is seen displayed on a smartphone screen. (Photo Illustration by Thomas Fuller/SOPA Images/LightRocket via Getty Images)
Originally published on: June 16, 2026
▼ Summary

– Microsoft patched a max-critical vulnerability in its M365 Copilot AI platform, which researchers exploited to retrieve 2FA codes and sensitive data from emails.
– AI bots cannot distinguish user instructions from those hidden in third-party content, causing them to comply with malicious data requests.
– Hackers bypass LLM guardrails by using markup language or HTML tags to exfiltrate data via web requests captured on attacker servers.
– Microsoft’s guardrails include wrapping Copilot output in code blocks and restricting untrusted site access, but both can be overcome.
– Researchers used a Parameter-to-Prompt Injection, placing a malicious command in a URL query parameter instead of email content, to exploit the vulnerability.

Last Tuesday, Microsoft rolled out a patch for a critical vulnerability in its M365 Copilot AI platform, which it rated as maximum severity. On Monday, the security researchers who discovered and reported the flaw detailed how their proof-of-concept exploit could extract sensitive data, including two-factor authentication (2FA) codes, from emails accessible to Copilot.

The root of the problem is a fundamental weakness shared by Microsoft and other large language model (LLM) providers: their AI bots cannot reliably distinguish between legitimate user instructions and malicious commands hidden within third-party content. When Copilot summarizes, drafts responses, or performs actions on behalf of a user, it can be tricked into complying with requests that reveal confidential information. This inability to secure the boundary between user input and external content leaves companies like Microsoft building complex, ad-hoc guardrails to contain the consequences of an inherently gullible system.

One such guardrail prevents Copilot from submitting web forms, sending emails, or taking other actions that could exfiltrate data. To bypass this, attackers have turned to markup language, which allows formatting elements like headings, lists, and links without requiring HTML tags. Another common workaround involves wrapping sensitive data inside tags like `` or `

`. In both scenarios, a web request containing the stolen data is sent to an attacker’s server, where it is captured in logs.

Microsoft also wraps Copilot output in `` blocks, forcing the browser to treat it as straight text, and restricts the websites Copilot can visit without explicit approval. While Copilot has blanket permission to access Microsoft domains, guardrails limit requests to untrusted sites.

Security firm Varonis developed an exploit chain that vaulted over these protections. The first step involved what researchers call a Parameter-to-Prompt Injection. The parameter, in this case, is the "q" in a URL, which flags a query included in the request. This technique is a close cousin of standard prompt injection, but the malicious command resides in the query parameter rather than in an email or other untrusted content.

(Source: Ars Technica)

Topics

m365 copilot vulnerability 98% prompt injection attacks 95% data exfiltration via markup 90% llm guardrails 88% parameter-to-prompt injection 85% copilot security restrictions 83% llm gullibility 80% varonis exploit chain 78% 2fa code theft 75% microsoft patch response 73%
Tags
June 17, 2026Last Updated: June 17, 2026
2 minutes read