A new and viable attack chain disclosed by Varonis Threat Labs exploits a Microsoft Copilot vulnerability set that turns the AI into an attacker’s partner in facilitating data theft.
The attack chain involves three separate vulnerabilities that are each not all that concerning on their own, but when strung together can turn Copilot into a data theft machine. One of these is a new class of vulnerability specific to AI LLM systems called a “Parameter-to-Prompt Injection (P2P).” Microsoft has assigned the attack chain a CVE (CVE-2026-42824) and classed it as critical, and has issued a patch to Copilot Enterprise that neutralizes it.
Copilot vulnerability chain enables theft of a wide variety of sensitive information
The Copilot vulnerability chain requires three steps, two of which are old-fashioned injections and request forgeries. But they are kicked off by using a P2P injection that convinces Copilot it is OK to serve up malicious links.
The attacker first inserts the malicious P2P prompt into Copilot Enterprise Search. A particular deployment of an “<img>” tag in this prompt causes the AI to begin supplying its response before the usual input sanitization steps are taken. Because Bing’s image search endpoint is whitelisted in the Content Security Policy, it has no issue fetching a malicious URL the attacker controls.
The tainted link must be passed on to a victim in a Copilot Enterprise tenant, who is then induced to click on it. But once they do, the AI becomes a data theft partner in rummaging through their files for sensitive information to extract: emails, authorization codes, SharePoint and OneDrive files, meeting notes, calendar items and more.
The victim needs only to click on that initial malicious link, and the attack is executed with no follow-up required. The P2P injection prompt is extremely simple, abusing the fact that anything following a “q” parameter in a URL (the operator used for natural language search queries) will be read as direct instructions to be followed. While Microsoft anticipated this potential Copilot vulnerability by having it wrap output in code blocks so that the browser treats it as plain text, there was an oversight in that an <img> tag deployed during this initial “thinking” process causes the browser to immediately launch an included URL before the process is done and sanitization takes place.
That part is an old-school “race condition” vulnerability, and the final component simply relies on the fact that Bing’s image search feature is whitelisted by Microsoft by default. So that is what the malicious URL targets. Bing’s backend performs a server-side fetch of the img url to analyze the image, turning it into an “unwitting exfiltration proxy” for the data theft, as the researchers describe it.
The attacker can send this malicious link via just about any method they choose: email, direct messaging, collaboration software, anything that allows a clickable link to be embedded. The target will only see Copilot in “thinking” mode for a brief moment. This might spur some suspicion, but in a matter of mere seconds the data theft has already taken place.
AI functions revive previously dormant data theft methods
As the researchers note, this issue is not a mere matter of a novel Copilot vulnerability. It illustrates how AI can be inserted creatively as part of an attack chain to revive older hacking techniques that software has at this point largely been secured against.
Remediation of these attacks and potential data theft incidents also almost entirely relies on the AI developer. In the case of the Copilot vulnerability, Microsoft has offered some additional remediation methods such as careful scrutiny of “q” parameters in URLs and ensuring users are trained in recognizing suspicious URLs and unusual behavior by Copilot. However, none of those allow the end user to disable the threat on their own.
However, AI security governance is also a widespread issue as these new tools are rapidly onboarded. Red team testers with Mandiant recently found that organizations have some tendency to lose track of their fundamental security controls when they roll out new AI deployments. This includes simple failures to have settings properly configured, but researchers also find they can utilize the AI tools to assist with the attack in a manner similar to what was seen with this Copilot vulnerability. And all of this is with official company sanctioned deployments, before the issue of “shadow IT” use of AI by employees even crops up. Mandiant noted that a lack of CISO involvement in AI workflow deployments can be a contributing factor in this area.
Microsoft did make one other option available to address a future Copilot vulnerability, as of its April “Patch Tuesday”; administrators have received the ability to uninstall the AI assistant via policy.
