Copirate 365 at DEF CON: Plundering in the Depths of Microsoft Copilot (CVE-2026-24299)

2026-05-04 · Source: Embrace The Red · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy · Depth: Advanced, long

Summary

A DEF CON Singapore talk writeup details critical vulnerabilities and exploits in Microsoft Copilot, including M365 Copilot and Consumer Copilot, leading to CVE-2026-24299. The research uncovered data exfiltration via the HTML preview feature, bypassing Content Security Policy (CSP) through CSS "background-image" and "@font-face" to load external resources. This enabled zero-click attacks by programmatically forcing the HTML preview. The analysis also revealed how Delayed Tool Invocation (DTI) and hijacking M365 Copilot's "record_memory" tool allowed for persistent prompt injection, creating "SpAIware" that could exfiltrate sensitive data like passwords from future conversations. Consumer Copilot exhibited similar memory modification vulnerabilities using "memory_durable_fact" tools and data exfiltration via the "edge_navigate_to" tool. Microsoft patched the main data exfiltration exploit on March 5, 2026, and memory-related issues in December 2025.

Key takeaway

For AI Security Engineers evaluating Microsoft Copilot deployments, you must recognize that prompt injection can lead to persistent data exfiltration and memory manipulation. Your security posture should assume breach for AI agents, focusing on robust threat modeling and implementing strict controls over external communication channels. Ensure comprehensive audit logging for all AI agent memory modifications, as default settings may lack this critical visibility.

Key insights

AI assistants with private data, untrusted content, and external communication form a "lethal trifecta" for data exfiltration.

Principles

• AI widgets require explicit security contracts with host platforms.
• Content Security Policy (CSP) is an unreliable security boundary for AI.
• Auditing and logging are critical for AI agent actions.

Method

Exploit HTML preview via CSS "background-image" or "@font-face" to exfiltrate data. Achieve zero-click by auto-switching to preview. Persist instructions using Delayed Tool Invocation to hijack memory for ongoing data leaks.

In practice

• Test AI agents for HTML preview data exfiltration vectors.
• Verify CSP effectiveness across different hosting environments.
• Implement robust audit logging for AI agent memory modifications.

Topics

• Microsoft Copilot
• Prompt Injection
• Data Exfiltration
• Content Security Policy
• Delayed Tool Invocation
• AI Agent Security

Best for: AI Security Engineer, AI Engineer, MLOps Engineer

Related on AIssential

• Microsoft Copilot Cowork Exfiltrates Files — Agentic systems like Copilot Cowork struggle with preventing data exfiltration, especially via unapproved external content.
• No longer just a Copilot, Microsoft's AI wants to take the wheel — Microsoft's Autopilot agents promise autonomous work management, integrating deeply across enterprise applications while posing significant security and trust challenges.
• GitHub Copilot Adds Persistent Memory for Repository-Level Context — GitHub Copilot's new persistent memory retains repository-level context, improving long-term coding assistance and code review.
• Three AI coding agents leaked secrets through a single prompt injection. One vendor's system card predicted it — AI agent runtime environments, not just models, are critical attack surfaces for prompt injection vulnerabilities.
• Microsoft caught sneaking "Co-Authored-by Copilot" into VS Code commits - even with AI off — Undisclosed AI attribution in code commits can lead to significant user distrust and policy conflicts.
• Fed up with vibe coders, dev sneaks data-nuking prompt injection into their code — A developer embedded a destructive prompt injection in open-source code to deter AI agents, sparking ethical and legal debate.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Embrace The Red.