Copirate 365 — DEF CON Demo of Persistent Microsoft Copilot Backdoor

AI relevance: The Copirate 365 chain demonstrates how prompt injection — widely dismissed as a transient nuisance — can be stacked with delayed tool invocation, memory poisoning, and HTML preview rendering into a durable, persistent backdoor inside enterprise Copilot, giving an attacker standing access to M365 data.

What happened

• Researcher Johann Rehberger presented "Copirate 365" at DEF CON Singapore, demonstrating a multi-stage vulnerability chain across M365 Copilot and Consumer Copilot, tracked as CVE-2026-24299.
• The attack chains four distinct primitives: indirect prompt injection to trigger misalignment, HTML preview rendering as an exfiltration channel (via CSS background images and @font-face), delayed tool invocation for exploit reliability, and long-term memory hijacking for persistence.
• HTML preview exfiltration bypasses URL-based egress filters by encoding stolen data into CSS properties — background-image URLs and @font-face loads that fetch to attacker-controlled servers.
• Delayed tool invocation allows the injected payload to defer execution until a future user interaction, making the attack asynchronous and harder to detect in real time.
• Memory hijacking enables both planting and deleting long-term Copilot memories via prompt injection, effectively turning the memory store into an attacker-controlled persistence mechanism.
• The combined chain creates what Rehberger calls "SpAIware" — a persistent backdoor in Copilot that survives across sessions and user interactions.
• Microsoft patched the vulnerability; MSRC assigned CVE-2026-24299 and the issues are now resolved.

Why it matters

• This is the most complete public demonstration that prompt injection can be escalated from a single-session nuisance to a persistent, multi-session enterprise compromise.
• The HTML preview exfiltration technique bypasses standard egress filtering because the requests appear as legitimate resource loads (fonts, images) rather than data exfiltration.
• M365 Copilot has access to emails, chats, SharePoint documents, and other enterprise data — the "lethal trifecta" of private data access, untrusted content ingestion, and external communication channels.
• With over 80 products now branded "Copilot," the attack surface spans the entire Microsoft AI ecosystem, and the same primitives likely apply across multiple variants.

What to do

• Ensure all M365 Copilot deployments are updated to patched versions; MSRC advisory covers the fix.
• Audit HTML preview and rich content rendering in any AI application that ingests untrusted content — these are the primary exfiltration channels for injected payloads.
• Implement egress controls that inspect outbound requests for encoded data patterns, not just known-bad domains.
• Review AI application memory stores for tamper-evident logging — memory hijacking is a new persistence vector that traditional security tools don't detect.

Sources

• Embrace The Red — Copirate 365 at DEF CON: Plundering in the Depths of Microsoft Copilot
• Microsoft MSRC — CVE-2026-24299
• DEF CON Singapore — Slides (PDF)
• Adversa AI — Top Agentic AI Security Resources, June 2026