CISO
CIO
Enterprise Architect
Compliance Officer
Industry relevance
Financial Services
Healthcare
Government
JANUARY 22, 2026
Copilot Studio exfiltrated customer data via an authorized Outlook connector after Microsoft's safety filter flagged the request. DLP did not stop it. An agent authorization record would have.
Capsule Security disclosed CVE-2026-21520 in Microsoft Copilot Studio on January 22, 2026, following discovery on November 24, 2025 and a patch deployed January 15, 2026. The vulnerability, named ShareLeak, allowed an attacker to insert a crafted payload into a public-facing SharePoint form field. Copilot Studio concatenated the untrusted form input directly into the agent's system instructions with no sanitization between the form and the model. The agent then queried connected SharePoint Lists for customer data and sent it via Outlook to an attacker-controlled address. Microsoft's own safety mechanisms flagged the request as suspicious. The data was exfiltrated anyway.
GOVERNANCE IMPLICATION
ShareLeak breaks the assumption that DLP and safety filters are enough governance for Copilot Studio agents. Three conditions made the attack possible: access to customer data in SharePoint, an external channel via Outlook, and no authorization record defining what inputs the agent could treat as instructions. Those three conditions existed before the patch. They exist after it. Patching CVE-2026-21520 closes this specific attack path, not the underlying architecture. Any Copilot Studio agent with simultaneous access to untrusted inputs and outbound tools remains exposed. A Layer 2 authorization record defining what external content the agent may treat as instructions, plus a scope boundary on outbound channels, closes what the patch does not.
SCENARIO
A financial services firm deploys a Copilot Studio agent to process SharePoint-based client intake forms. The agent connects to SharePoint Lists containing client PII. An attacker submits a crafted payload through the public form. The agent treats the payload as a system instruction, queries client records, and sends the data to an external email address via Outlook. The firm's DLP does not flag the transfer because the agent used an authorized connector. An OCC examination asks which governance control defined what inputs this agent was permitted to treat as instructions. The answer: no such control existed.
THE GOVERNANCE QUESTION
For each Copilot Studio agent in your environment triggered by external inputs, can you produce a documented authorization record that specifies which input sources the agent is permitted to treat as instructions and which outbound channels it may use for data transfer? If not, ShareLeak's structural conditions exist in your environment regardless of patch status.
CONTROL GAP
No governance standard requires a Copilot Studio agent to have a documented authorization record specifying which input sources it may treat as instructions. Microsoft DLP policies govern data egress from connectors but do not define input trust boundaries. The safety filter flagged the request. The data left anyway via an authorized Outlook connector DLP does not block.
REGULATORY RELEVANCE
OCC
FINRA
FFIEC
NIST Ai RMF
SEC Cyber
PRIMARY SOURCE
Copilot and Agentforce fall to form-based prompt injection tricks
CSO Online
April 15, 2026
Read the primary source ->(opens in new tab)CONTINUE READING
JUNE 9, 2026
Agent SecurityAnthropic launched Claude Fable 5 and Claude Mythos 5 on June 9, 2026. Fable 5 is the first Mythos-class model released for general use. It includes safety classifiers that intercept queries in cybersecurity, biology and chemistry, and distillation categories, routing those queries to Claude Opus 4.8 instead. Anthropic reports the fallback occurs in fewer than 5% of sessions. The launch introduces a mandatory 30-day data retention requirement for all Fable 5 and Mythos 5 traffic on first- and third-party surfaces. Anthropic states the retained data will not be used for model training and will be deleted after 30 days in most cases.
MAY 18, 2026
Agent SecurityOn May 18, 2026, NIST published 'Summary Analysis of Responses to the Request for Information Regarding Security Considerations for AI Agents' (NIST Trustworthy and Responsible AI, report 800-5, authored by Riggs, Hamin, Perry, Edelman, and Cihon). The report summarizes stakeholder responses to the CAISI request for information (docket NIST-2025-0035). Commenters broadly agreed that AI agents present novel security threats that act as a barrier to adoption, and that while core cybersecurity principles still apply, they require adaptation for agents. Respondents identified roles for government including implementation guidance, information-sharing, and standards.
MAY 14, 2026
Agent SecurityMicrosoft Security Blog published 'Defense in depth for autonomous AI agents' on May 14, 2026, authored by Alyssa Ofstein and Elliot H Omiya. The post establishes that as agents gain autonomy, security architecture must shift toward the application layer: how agents are assembled, constrained, and governed within real applications. Key design principles include bounded scope (defining what an agent is responsible for), progressive permissioning (actions enabled explicitly starting at zero), and deterministic enforcement of human-in-the-loop review. The post states explicitly that the critical design mistake in agentic systems is letting the model decide when human review is required. Escalation triggers must be defined in code by the orchestrator, not delegated to probabilistic model reasoning. New threat classes identified include agent hijacking, intent breaking, sensitive data leakage, supply chain compromise, and inappropriate reliance.