Critical Copilot vulnerability allowed hackers to steal 2FA code from users

**TL;DR:** Critical Copilot vulnerability allowed hackers to steal 2FA code from users

---

Last Tuesday, Microsoft patched a vulnerability it rated as max critical in its M365 Copilot AI platform. On Monday, the researchers who discovered the vulnerability and reported it to Microsoft revealed how their proof-of-concept exploit could retrieve 2FA codes and other sensitive data from emails accessible to Copilot. Microsoft and other LLM providers have been unable to prevent their products from complying with malicious requests to reveal data.

The root cause: AI bots are unable to distinguish between instructions provided by users and those snuck into third-party content the models are summarizing, drafting responses to, or using to perform other actions on behalf of the user. With no way to secure this crucial boundary, Microsoft and its peers are left to erect complicated and ad hoc guardrails designed to rein in the consequences of this incurable gullibility.

Jumping over guardrails One guardrail built into Copilot and most other LLMs prevents them from submitting web forms, sending emails, and taking similar actions that can be used to exfiltrate data from the user. To work around this, LLM hackers turned to markup language, which, among other things, allows users to ad

Source: Ars Technica

Security headlines need a calm read: who is affected, what is confirmed, and whether there is a realistic mitigation for normal users.

Readers should treat early numbers and unnamed claims cautiously. The durable story is usually confirmed in docs, filings, or follow-up reporting.

Track whether the story affects total cost of ownership: subscriptions, compatibility, downtime risk, or support burden.

1) Treat unconfirmed claims as provisional. 2) Check official statements before changing security or spending decisions. 3) Save links and dates so you can verify updates later.

**Q: Is everything in this article confirmed?** A: The summary reflects publicly reported information at publication time. Analysis sections are clearly framed as context, not new reporting.

**Q: Will iByte update this page?** A: Yes. As primary sources publish more detail, this article can be refreshed without changing the URL.

Last updated: June 16, 2026.

Additional context: early-cycle stories often look bigger in headlines than in day-to-day impact. The useful move is to identify the smallest set of facts that would change your decision, then wait for those facts to land.

Additional context: early-cycle stories often look bigger in headlines than in day-to-day impact. The useful move is to identify the smallest set of facts that would change your decision, then wait for those facts to land.