New Copilot Vulnerability Bridges Old and New Data Theft Techniques

All of the talk about AI and cybersecurity lately has been about the capabilities of frontier models like Mythos and their ability to almost instantly uncover a target’s full set of vulnerabilities. That is certainly a very important topic, but a new Copilot vulnerability unveils something of a blind spot in current AI deployments: creative ways in which existing AI can enter an attack chain, and post-breach ways in which it can be used to more efficiently perpetrate data theft.

How Copilot became a data theft assistant

It is unclear if the Copilot vulnerability chain has been exploited in the wild, but security firm Varonis Threat Labs has published a demonstration of it after ethically disclosing to Microsoft (who have issued a patch that takes a key portion of it out of the AI assistant).

The scope of data theft is pretty severe once the attack is successfully pulled off, allowing the attacker to quickly rifle through a target’s Microsoft business environment for sensitive files. Two pieces of the attack chain are “vintage” hacking techniques that would generally not be seen as a major threat, but the way the AI inserts itself puts a novel spin on them.

The attack chain is CVE-2026-42824; Microsoft has labeled it “critical,” but it has only been assigned a 6.5 rating as the key element of it, the Parameter-to-Prompt Injection (P2P) that loops the AI in, has been patched out of Copilot and will no longer work as the researchers describe. The issue is also specific to Copilot Enterprise, as it takes advantage of its local file search focus to exploit a prioritization quirk that puts malicious instructions ahead of the usual sanitization process that would catch them.

Copilot vulnerability exploitation shows no signs other than brief “thinking” behavior

The Copilot vulnerability chain begins with an attacker entering a relatively simple prompt into Copilot Enterprise Search. As mentioned, this relies on a two-part quirk in how Copilot orders operations (at least before Microsoft addressed the issue).

The malicious instructions are simply placed in the prompt itself behind a “q” parameter. This operator tells Copilot that it is receiving a natural language search query, and what follows it is to be taken as direct instructions. The normal sanitization process would usually catch this attempt at a malicious embed of this sort. However, there is a way around that (or, again, was before Microsoft patched the issue): a well-placed “<img>” tag will cause Copilot to open a link in a browser before it gets to the “thinking” process in which it wraps output in blocks that are read as text.

The Copilot vulnerability chain would usually still be shut down, because the malicious URL is not from a whitelisted domain. However, Bing Image Search’s endpoint is always whitelisted by default. This enables the malicious link to be passed on to a victim that is a Copilot Enterprise tenant. The attacker can send the link by whatever means they want to, from email to direct messaging. All the victim has to do is click on it, with no further action required, and the data theft process initiates.

The victim is then looted in what could be just a matter of seconds, with only a Copilot “thinking” notice popping up to indicate anything is amiss. The data theft can include emails, authorization codes, SharePoint and OneDrive files, meeting notes, and calendar entries among other items in the general Microsoft ecosystem of the user.

The Copilot vulnerability illustrates some emerging threats in the new age of AI: LLMs as a critical attack chain component, the fact that “remediation” is limited almost entirely to hoping the developer fixes it or ceasing use of the AI entirely, and how an LLM can be weaponized by an attacker as a force multiplier once they gain access. But it should also serve as a reminder to carefully scrutinize the security of new AI deployments, something that has been falling by the wayside at troubling rates in the rush to get these new tools into service.