Microsoft patches critical M365 Copilot flaw tied to 2FA code leaks

In short: Microsoft patched a critical security flaw in M365 Copilot after researchers showed it could be tricked into pulling 2FA codes and other sensitive email data.

What happened

Microsoft fixed a vulnerability in its M365 Copilot service last Tuesday. M365 Copilot is Microsoft’s built-in AI helper for work, and it can read and summarize content a user has access to, like emails and documents.

On Monday, security researchers at Varonis explained how their test attack worked. The trick started with an email that contained a specially made Microsoft search link. If the victim clicked the link, Copilot could be pushed into searching the victim’s mailbox and pulling out information like one-time 2FA codes (the short number you get by text or an app to confirm it is really you).

Varonis said the problem comes from a common weakness in today’s large language model tools. They can have trouble telling the difference between a real user instruction and a hidden instruction placed inside content they are reading. Think of it like a helpful assistant who reads a note out loud, but also follows a secret instruction written in tiny print on the same note.

Varonis also showed how the attack could get around Copilot’s built-in blocks on sending data to unknown websites. Their method used Bing as a middle step, because Bing was allowed under Copilot’s rules.

Why it matters

This issue affected the Enterprise version used at companies, which can include access to internal emails, meeting notes, and files in SharePoint and OneDrive. Even though Microsoft fixed this specific path, the research highlights how hard it is to fully prevent these “hidden instruction” attacks in AI assistants that can access private workplace data.

Source: Arstechnica