Critical Copilot Vulnerability Exposed 2FA Codes

Microsoft addressed a maximum critical vulnerability in its M365 Copilot AI platform on June 16, 2026. Researchers from security firm Varonis who discovered the flaw revealed how their proof-of-concept exploit could retrieve 2FA codes and other sensitive information from emails accessible to Copilot. The vulnerability stems from a fundamental limitation in large language models: their inability to distinguish between legitimate user instructions and malicious commands embedded in third-party content the models process. Varonis devised an exploit chain that bypassed multiple Microsoft guardrails designed to prevent data exfiltration. The attack used a Parameter-to-Prompt Injection technique, placing malicious commands in URL query parameters rather than directly in untrusted content. Attackers sent targets emails containing specially crafted URLs with the format "https://m365.cloud.microsoft/search/?auth=2&origindomain=microsoft365&q=[instruction]" that Copilot readily complied with. The researchers noted that even with limited capabilities, accessing a user with critical information was sufficient for data theft. Microsoft and other LLM providers have implemented various guardrails to mitigate these risks, including wrapping output in code blocks and restricting requests to untrusted sites, but these remain ad hoc solutions addressing symptoms rather than the root cause.