CISO
CIO
Enterprise Architect
Compliance Officer
Industry relevance
Financial Services
Healthcare
Government
JANUARY 22, 2026
Copilot Studio exfiltrated customer data via an authorized Outlook connector after Microsoft's safety filter flagged the request. DLP did not stop it. An agent authorization record would have.
Capsule Security disclosed CVE-2026-21520 in Microsoft Copilot Studio on January 22, 2026, following discovery on November 24, 2025 and a patch deployed January 15, 2026. The vulnerability, named ShareLeak, allowed an attacker to insert a crafted payload into a public-facing SharePoint form field. Copilot Studio concatenated the untrusted form input directly into the agent's system instructions with no sanitization between the form and the model. The agent then queried connected SharePoint Lists for customer data and sent it via Outlook to an attacker-controlled address. Microsoft's own safety mechanisms flagged the request as suspicious. The data was exfiltrated anyway.
GOVERNANCE IMPLICATION
ShareLeak breaks the assumption that DLP and safety filters are enough governance for Copilot Studio agents. Three conditions made the attack possible: access to customer data in SharePoint, an external channel via Outlook, and no authorization record defining what inputs the agent could treat as instructions. Those three conditions existed before the patch. They exist after it. Patching CVE-2026-21520 closes this specific attack path, not the underlying architecture. Any Copilot Studio agent with simultaneous access to untrusted inputs and outbound tools remains exposed. A Layer 2 authorization record defining what external content the agent may treat as instructions, plus a scope boundary on outbound channels, closes what the patch does not.
SCENARIO
A financial services firm deploys a Copilot Studio agent to process SharePoint-based client intake forms. The agent connects to SharePoint Lists containing client PII. An attacker submits a crafted payload through the public form. The agent treats the payload as a system instruction, queries client records, and sends the data to an external email address via Outlook. The firm's DLP does not flag the transfer because the agent used an authorized connector. An OCC examination asks which governance control defined what inputs this agent was permitted to treat as instructions. The answer: no such control existed.
THE GOVERNANCE QUESTION
For each Copilot Studio agent in your environment triggered by external inputs, can you produce a documented authorization record that specifies which input sources the agent is permitted to treat as instructions and which outbound channels it may use for data transfer? If not, ShareLeak's structural conditions exist in your environment regardless of patch status.
CONTROL GAP
No governance standard requires a Copilot Studio agent to have a documented authorization record specifying which input sources it may treat as instructions. Microsoft DLP policies govern data egress from connectors but do not define input trust boundaries. The safety filter flagged the request. The data left anyway via an authorized Outlook connector DLP does not block.
REGULATORY RELEVANCE
OCC
FINRA
FFIEC
NIST Ai RMF
SEC Cyber
PRIMARY SOURCE
Copilot and Agentforce fall to form-based prompt injection tricks
CSO Online
April 15, 2026
Read the primary source →(opens in new tab)CONTINUE READING
MAY 12, 2026
SecurityMicrosoft published a five-level DDoS resilience maturity framework on May 12, 2026 in the Microsoft Security Blog, authored by Kumar Srinivasamurthy, VP of Intelligent Conversation and Communications Cloud Platform. The framework grades organizational posture from Level 1 (Exposed, direct origin with no CDN) through Level 5 (Autonomous Defense, AI-powered predictive mitigation where attacks are neutralized before human operator awareness). The post cites Microsoft Digital Defense Report 2025 data showing DDoS attacks against Microsoft properties reached approximately 4,500 per day by June 2024, up from a rise that began in mid-March 2024.
MAY 12, 2026
SecurityThe Microsoft Defender Security Research Team published research on May 12, 2026 in the Microsoft Security Blog describing three approaches to generating synthetic security attack logs using AI. The pipeline progresses from prompt-engineered generation through an agentic workflow using three specialized agents (Generator, Evaluator, Improver) to multi-turn Reinforcement Learning with Verifiable Rewards. The research uses MITRE ATT&CK TTPs as input and produces structured telemetry designed to trigger detection rules without requiring live attack execution in controlled lab environments. Evaluation showed agentic workflows significantly outperform prompt-only approaches across all test datasets.
MAY 12, 2026
SecurityMicrosoft announced on May 12, 2026 in the Microsoft Security Blog a new multi-model agentic scanning harness (codename MDASH), developed by its Autonomous Code Security team. MDASH orchestrates more than 100 specialized AI agents across an ensemble of frontier and distilled models to discover, debate, and prove exploitable vulnerabilities end-to-end. The system identified 16 new CVEs across the Windows networking and authentication stack, including four Critical remote code execution flaws, and scored 88.45% on the CyberGym benchmark of 1,507 real-world vulnerabilities, the highest published score on that leaderboard at time of writing.