M365 Copilot AI Injection Flaw Enables One-Click Data Exfiltration
Microsoft has patched a significant information disclosure vulnerability in Microsoft 365 Copilot, tracked as CVE-2026-26133, that allowed attackers to weaponize the AI assistant’s email summarization feature to deliver convincing phishing prompts and steal sensitive organizational data triggered by a single user click.
CVE-2026-26133, disclosed on March 12, 2026, is rooted in an AI command-injection weakness in M365 Copilot’s email summarization surfaces.
The vulnerability has a CVSS 3.1 base score of 7.1 and is rated Important by Microsoft. An attacker with no prior authentication or elevated privileges could exploit this flaw remotely, requiring only that a targeted user interact with a Copilot-generated summary, such as clicking “Summarize this email.”
Researchers at Permiso Security’s P0 Labs team, led by Andi Ahmeti, identified a cross-prompt injection attack (XPIA) in which attacker-controlled instructions are silently embedded within an ordinary email.
When the victim’s Copilot processes that email, it incorporates the malicious instructions into its generated summary, producing authoritative-looking phishing content inside the assistant’s trusted interface without relying on attachments, macros, or any traditional exploit code.
What makes this attack particularly dangerous is a concept Permiso calls “trust transfer.” Users trained to be skeptical of suspicious email body text typically extend no such skepticism to AI-generated summaries.
Copilot’s broad retrieval scope spanning Teams conversations, OneDrive files, SharePoint documents, and meeting notes means injected prompts can pull internal collaboration context and embed it into attacker-supplied links.
The result is a one-click exfiltration pathway: when the user clicks what appears to be a legitimate “Verify your Identity” button rendered inside the Copilot summary, internal context is silently transmitted to attacker-controlled infrastructure.​
The vulnerability affects 20 Microsoft mobile and desktop products, all of which were updated on March 12, 2026. Affected applications span both iOS and Android platforms, including Microsoft 365 Copilot for Android (build 16.0.19815.10000) and iOS (build 2.107.2), Microsoft Teams for Android and iOS.
Microsoft Outlook for Android, iOS, and Mac; Microsoft Word, Excel, and PowerPoint for both platforms; Microsoft OneNote; Microsoft Loop for iOS; Microsoft Edge for Android and iOS; and Microsoft Power BI for Android and iOS. Customer action is marked as required across all affected products, meaning users must update their applications to receive the fix.
Microsoft confirms the vulnerability was not publicly disclosed before the patch and has not been observed being exploited in the wild, with its exploitability assessment listed as “Exploitation Less Likely.”
The Exploit Code Maturity metric is rated Unproven. Despite this, the attack’s low complexity, zero privilege requirements, and deceptive delivery vector make it a credible threat against organizations heavily reliant on Copilot for email triage and summarization workflows.
Andi Ahmeti of Permiso Security discovered and reported the vulnerability through coordinated disclosure. Microsoft confirmed the issue on January 28, 2026, began rolling out mitigations on February 17, and completed the patch across all affected surfaces on March 11, 2026, one day before the CVE was formally published.
Organizations should immediately update all affected Microsoft 365 mobile and desktop applications to their latest builds through the respective platform app stores. Security teams should also review Copilot access scope policies to limit retrieval permissions when broad organizational data access is unnecessary, reducing the potential blast radius from future prompt-injection attacks.​
Site: cybersecuritypath.com
About the Author
