Microsoft Copilot Enables Hidden Prompt Exploits

Recent research by Permiso shows Microsoft 365 Copilot can be manipulated via hidden HTML/CSS 'cross prompt injection' attacks embedded in emails, causing the assistant to generate attacker-controlled summaries or fake security alerts. Tests found varying guardrail effectiveness across Outlook's Summarize button, Outlook Copilot pane, and Teams Copilot, with Teams most susceptible. The vulnerability enables model-mediated phishing and potential one-click data exfiltration from OneDrive, SharePoint, and Teams.
Key Points
- 1Demonstrates cross-prompt injection vulnerabilities in Microsoft Copilot via hidden HTML/CSS blocks in emails.
- 2Shows attackers can bypass interface guardrails and induce Copilot to produce phishing content or fake alerts.
- 3Warns practitioners to enforce DLP, strip hidden text, and monitor cross-app retrieval to prevent exfiltration.
Scoring Rationale
High practical severity and industry-wide reach, mitigated slightly by reliance on a single security research report.
Sources
Public references used for this report.
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems
