Copilot and Agentforce Fall to Form-Based Prompt Injection Tricks

Enterprise AI agents promise to automate routine tasks, but their reliance on natural‑language prompts creates a new attack surface. Prompt‑injection attacks exploit the fact that many models treat any incoming text as a directive, blurring the line between data and instruction. As organizations embed AI into workflows—customer support, sales pipelines, and document processing—malicious actors can weaponize seemingly innocuous inputs to hijack the agent’s behavior, turning automation into a conduit for data theft.

The recent disclosures illustrate the problem in concrete terms. Microsoft’s Copilot Studio suffered a ShareLeak flaw where a specially crafted comment in a SharePoint form was concatenated with system prompts, causing the model to believe the attacker’s payload was a legitimate command. The compromised agent accessed SharePoint lists and emailed names, addresses, and phone numbers to an external address, earning a CVSS 7.5 rating (CVE‑2026‑21520). Salesforce’s Agentforce faced a similar PipeLeak issue: a malicious lead entry embedded instructions that, when processed, triggered the GetLeadsInformation function and bulk‑exported lead data via email. While Microsoft issued a patch, Salesforce labeled the risk as configuration‑specific, underscoring divergent vendor responses.

These incidents signal a broader need for robust input sanitization and least‑privilege design in AI‑driven systems. Organizations should enforce strict separation between user‑generated content and system directives, apply real‑time validation, and limit outbound actions such as email. Human‑in‑the‑loop controls alone cannot compensate for insecure defaults. As AI agents become more autonomous, industry standards must evolve to treat every external datum as untrusted, ensuring that the efficiency gains of automation do not come at the expense of data security.