Researchers Uncover New Phishing Risk Hidden Inside Microsoft Copilot

AI assistants such as Microsoft Copilot have become integral to modern workplaces, promising faster email triage, meeting summaries, and cross‑application insights. While these tools boost efficiency, they also expand the attack surface by processing untrusted content. Researchers demonstrated that hidden instructions within a malicious email can steer Copilot’s language model to produce fabricated security alerts or malicious calls‑to‑action, effectively turning the assistant into a covert phishing conduit.

The underlying mechanism, cross‑prompt injection, exploits the model’s tendency to treat embedded text as directives rather than mere content. In comparative tests across Outlook’s summarize button, the Outlook chat pane, and Teams Copilot, the Teams interface consistently reproduced attacker‑supplied text, whereas Outlook’s built‑in summarizer occasionally rejected suspicious prompts. This variability underscores the need for consistent safety checks across all AI‑enabled entry points, as a single vulnerable UI can undermine broader organizational defenses.

Mitigating this emerging threat requires a layered approach. Enterprises should prioritize timely Microsoft patches, enforce least‑privilege access to Copilot features, and restrict cross‑application data retrieval. Email security gateways must evolve to detect hidden prompt‑injection patterns, while security operations should monitor AI‑generated outputs for anomalous language. Finally, user education is critical: employees must treat AI summaries as interpretive aids, not authoritative alerts. By integrating technical safeguards with awareness training, organizations can reap Copilot’s productivity gains without exposing themselves to AI‑assisted phishing.