LIVE FEED
FIRST LOOK Yellow Teams Bring AI Offense and Defense Into One Security Function // FIRST LOOK Tracebit Ships AWS Context Bombing Defence Against AI Hacking Agents // FIRST LOOK FriendMachine Launches Jacquard Lang for AI-Written Code Review // CRITICAL Check Point 2026 AI Security Report: LLMs Now Run Live Attacks // FIRST LOOK OpenAI GPT-5.6 Sol Ships Faster Parallel Tool-Use for Agents // FIRST LOOK Meta Launches Muse Image with Public Instagram Photo Reuse // FIRST LOOK Estonia Launches State-Issued Digital IDs for AI Agents // HIGH AI Widens Skill-Ability Gap, Enabling Autonomous Cyberattacks // FIRST LOOK OpenAI Expands ChatGPT Into Family and Caregiver Households // FIRST LOOK Iroh Launches Mesh LLM for Distributed AI Across Peer Nodes //
ATLAS OWASP HIGH Significant risk · Prioritise patching RELEVANCE ▲ 8.2

Prompt Injection Flaws in Salesforce and Microsoft AI

TL;DR HIGH
  • What happened: Prompt injection flaws in Microsoft Copilot and Salesforce Agentforce enabled data exfiltration via malicious inputs.
  • Who's at risk: Enterprise organisations deploying AI agents to process emails, documents, and external data without robust input sanitisation.
  • Act now: Apply patches for Copilot and Agentforce immediately · Implement input validation and sanitisation on all agent data sources · Audit AI agent permission scopes and data access policies
0x4F0x3A0xFF0x0D0x7B0xC20xA10x550x0D0x7B0xC20xA10x550xE80x120x9F0xA10x550xE80x120x9F0xD40x2E0x880x120x9F0xD40x2E0x880x610xB30x4F0x2E0x880x610xB30x4F0x3A0xFF0x0D0xB30x4F0x3A0xFF0x0D0x7B0xC20xA10xFF0x0D0x7B0xC20xA10x550xE80x12LLM SECURITYDark ReadingHIGHPrompt Injection Flaws in Salesforce and AIMicrosoft

Overview

Microsoft and Salesforce have patched prompt injection vulnerabilities in their respective AI agent platforms — Microsoft Copilot and Salesforce Agentforce — that could have allowed external attackers to leak sensitive data from affected organisations. The flaws, now remediated, are emblematic of a broader security challenge facing enterprise AI deployments: agentic systems that act on behalf of users can become vectors for data exfiltration when they fail to adequately validate or sanitise external input.

Both vulnerabilities were disclosed responsibly and patches have been issued, but the incident serves as a significant warning for organisations relying on AI agents to handle confidential business data.

Technical Analysis

Prompt injection attacks targeting AI agents exploit the agent’s inability to distinguish between trusted system instructions and malicious content introduced through external data sources — a technique sometimes referred to as indirect prompt injection. In the context of Agentforce and Copilot, an attacker could craft malicious content (e.g., embedded in an email, document, or web page) that the AI agent processes during normal operation. Once ingested, the injected instructions redirect the agent to perform unintended actions, such as summarising and transmitting private user data to an attacker-controlled endpoint.

The attack chain typically follows this pattern:

  1. Injection vector: Malicious instructions are embedded in content the AI agent is expected to read (e.g., a shared document or an inbound email).
  2. Agent execution: The agent processes the content without distinguishing between data and instructions.
  3. Exfiltration: The hijacked agent leaks sensitive information — such as emails, CRM records, or internal documents — via a subsequent action (e.g., sending a follow-up message or making an API call).

This class of vulnerability is particularly dangerous in agentic architectures because agents are often granted broad permissions to read, write, and communicate on behalf of users.

Framework Mapping

  • AML.T0051 (LLM Prompt Injection): The core attack mechanism — injecting adversarial instructions through untrusted external content.
  • AML.T0057 (LLM Data Leakage): The primary impact — sensitive organisational data exposed to unauthorised parties.
  • AML.T0056 (LLM Meta Prompt Extraction): Potential secondary risk where system prompt context is also exposed.
  • LLM01 (Prompt Injection) and LLM06 (Sensitive Information Disclosure): The most directly applicable OWASP LLM Top 10 categories.
  • LLM08 (Excessive Agency): Agents operating with overly broad permissions amplify the severity of any successful injection.

Impact Assessment

Enterprise users of Microsoft Copilot and Salesforce Agentforce are the primary affected population, potentially spanning thousands of organisations across financial services, healthcare, and technology sectors. The severity is elevated by the privileged access these agents typically hold — CRM data, emails, internal documents, and customer records could all be at risk. Unpatched instances would have been exploitable by any external attacker capable of delivering malicious content into the agent’s processing pipeline.

Mitigation & Recommendations

  • Apply patches immediately: Both Microsoft and Salesforce have issued fixes — ensure all instances are updated.
  • Enforce least-privilege agent permissions: Restrict AI agent access to only the data and actions necessary for their defined role.
  • Implement input/output guardrails: Deploy content filtering on both inputs to and outputs from AI agents.
  • Monitor agent activity logs: Establish anomaly detection for unexpected data access or exfiltration patterns by AI agents.
  • Security-test AI integrations: Include prompt injection scenarios in penetration testing and red team exercises for all agentic AI deployments.

References

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.