One-Click Microsoft 365 Copilot Flaw Could Have Let Attackers Steal Emails, Files, and MFA Codes
Summary
A critical flaw in Microsoft 365 Copilot Enterprise Search could let attackers steal emails, calendar details, and multi-factor authentication codes with a single click on a malicious link. Researchers discovered that three chained bugs, including parameter-to-prompt injection (tricking the AI by hiding instructions in a URL parameter), a timing flaw in how responses are filtered, and a Content Security Policy allowlist for Bing, allowed attackers to extract sensitive data without the user entering any passwords or clicking again.
Solution / Mitigation
Microsoft mitigated the flaw on its backend, so customers have nothing to worry about. No customer action was required.
Classification
Affected Vendors
Related Issues
CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive
CVE-2026-30308: In its design for automatic terminal command execution, HAI Build Code Generator offers two options: Execute safe comman
Original source: https://thehackernews.com/2026/06/one-click-microsoft-365-copilot-flaw.html
First tracked: June 15, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 95%