This is a writeup of my DEF CON Singapore talk that walks through vulnerabilities and exploits in M365 Copilot and Consumer Copilot. I disclosed these to Microsoft last year. MSRC assigned CVE-2026-24299 and the issues are now patched.

ContentsContents

This turned out to be a long post, covering the 45 minute talk. I added an index page, so you know what’s in here. The talk had a more demos by the way, but I included videos here in this post also.

• Preface: A Brief History of AI Data Exfiltration
  • The Lethal Trifecta and M365 Copilot
  • Extracting System Prompt Information and Tools
• Chapter 1: HTML Preview as Exfiltration Channel
  • Bypass 1: Background Images via CSS
  • Bypass 2: Loading Fonts via @font-face
  • Auto-Switching to HTML Preview
  • Walkthrough: Stealing Emails from Word
  • Take-away: AI Widgets and Host Contracts
• Chapter 2: Delayed Tool Invocation
• Chapter 3: M365 Copilot Got Memory!
  • Adding Memories via Prompt Injection
  • Deleting Memories via Prompt Injection
• Chapter 4: SpAIware (Persistence + Data Exfil)
• Encore: Hacking Consumer Copilot
  • Hacking Consumer Copilot Memory (Durable Facts)
  • Exfiltrating Data with Edge
• Epilogue: Take-aways
• Disclosure Timeline

A pdf version of the slides is on the DEF CON media server.

Let’s dive into it.

...read more at embracethered.com