Share with your CISO
Microsoft patched a critical, max-severity vulnerability in Copilot Enterprise after researchers at Varonis turned it into a one-click data exfiltration tool. The attack required zero authentication from the victim. A single crafted URL instructed Copilot to search a user’s emails, extract contents, and beam them to an attacker-controlled endpoint. Because Copilot Enterprise runs with the user’s full Microsoft Graph permissions, whoever held the malicious link effectively inherited that employee’s access to emails, calendar data, meeting notes, and connected M365 systems, including the ability to hijack two-factor authentication codes.
What this means for your business
The blast radius here is not hypothetical. If a senior finance or legal employee clicks a weaponized link in a phishing email, the attacker walks out with every email thread, calendar invite, and document that person could access. No credential theft required. No malware planted. Copilot does the extraction automatically, by design, because that’s exactly what it was built to do: act on your data at your direction. The problem is that “your direction” is trivially spoofable.
The deeper issue is what Varonis calls a parameter-to-prompt injection, a variant of prompt injection where the malicious instruction hides inside a URL query parameter rather than in visible text. That distinction matters because most enterprise content-filtering and DLP controls scan for suspicious text in email bodies or documents. A poisoned URL bypasses those controls entirely, and Microsoft’s own whitelist of trusted domains, specifically bing.com, became part of the attack surface. Trusting your own infrastructure is not the same as that infrastructure being trustworthy.
Microsoft has patched this specific CVE, but the pattern it represents won’t be patched away. Any enterprise AI agent that holds graph-level permissions and can be triggered by a URL is structurally vulnerable to this class of attack. The question worth holding: how many other Copilot features, custom agents, or Power Automate flows in your environment operate with similarly broad permissions and similarly weak trigger authentication?
Concept deep-dive: Parameter-to-prompt (P2P) injection
Prompt injection is an attack where a malicious instruction is hidden inside content an AI reads, overriding its original instructions. P2P injection is a sharper variant: the malicious command is embedded in a URL query parameter, the configuration string that tells the AI how to process a request, rather than in visible message text. Think of it as slipping a forged work order into the building’s dispatch system instead of handing it to a worker directly. Security tools scanning email bodies never see it. For enterprises deploying AI agents that accept URLs as inputs, this is the new phishing vector.
Based on reporting from Microsoft’s Copilot AI Caught Letting Hackers Steal Your 2FA Codes Through a Single Click, originally published 2026-06-17 12:04:00.

