{"data":{"id":"d1f1698d-7c09-457f-868f-393741d06568","title":"One-Click Microsoft 365 Copilot Flaw Could Have Let Attackers Steal Emails, Files, and MFA Codes","summary":"A critical flaw in Microsoft 365 Copilot Enterprise Search could let attackers steal emails, calendar details, and multi-factor authentication codes with a single click on a malicious link. Researchers discovered that three chained bugs, including parameter-to-prompt injection (tricking the AI by hiding instructions in a URL parameter), a timing flaw in how responses are filtered, and a Content Security Policy allowlist for Bing, allowed attackers to extract sensitive data without the user entering any passwords or clicking again.","solution":"Microsoft mitigated the flaw on its backend, so customers have nothing to worry about. No customer action was required.","labels":["security"],"sourceUrl":"https://thehackernews.com/2026/06/one-click-microsoft-365-copilot-flaw.html","publishedAt":"2026-06-15T15:09:05.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":null,"severity":"high","attackType":["prompt_injection","data_extraction"],"issueType":"news","affectedPackages":null,"affectedVendors":["Microsoft"],"affectedVendorsRaw":["Microsoft 365 Copilot","Microsoft Copilot Enterprise Search","Bing"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":null,"disclosureDate":"2026-06-15T15:09:05.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"advanced","impactType":["confidentiality","integrity"],"aiComponentTargeted":"api","llmSpecific":true,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}