Two of the enterprise software industry's largest AI agent platforms — Microsoft Copilot and Salesforce Agentforce — have each patched prompt injection vulnerabilities that could have allowed attackers to steal sensitive data from business users without any authentication. The disclosures, reported by Dark Reading, highlight a growing class of security risks that emerge when AI agents are given access to sensitive corporate data and external-facing surfaces.
What Are Prompt Injection Flaws?
Prompt injection attacks exploit the fact that large language model (LLM)-based AI agents process both instructions and data through the same input channel — natural language. When an attacker can insert malicious instructions into content that the AI agent will read or process, those instructions can override the agent's legitimate directives, redirect its behavior, or cause it to exfiltrate data to an unintended destination.
In agentic AI contexts — where the AI is not merely answering questions but taking actions, retrieving documents, sending emails, or querying databases on behalf of users — prompt injection vulnerabilities can have significant downstream consequences beyond simple information disclosure.
Microsoft Copilot: The Vulnerability
The Microsoft Copilot flaw involved an indirect prompt injection attack path. Researchers found that Copilot, when operating in enterprise deployments with access to SharePoint documents, emails, and Teams messages, could be manipulated by maliciously crafted content embedded in documents it was asked to summarize or analyze.
If an attacker could place a document into a location where a Copilot-enabled user would later ask the AI to summarize it, the embedded payload could instruct Copilot to:
- Exfiltrate the contents of other documents accessible to the user
- Summarize and transmit sensitive email content
- Redirect Copilot's response to include attacker-controlled external URLs as output
The attack required no access to the victim's credentials. An attacker only needed the ability to inject crafted text into a Copilot-accessible data source — something achievable through shared document libraries, public SharePoint sites, or email-based social engineering.
Microsoft addressed the flaw through server-side changes to how Copilot processes and scopes external content instructions, with no client-side patches required. The company confirmed the fix in its April 2026 security advisory.
Salesforce Agentforce: The Vulnerability
The Salesforce Agentforce vulnerability was similarly an indirect prompt injection, exploiting the platform's ability to retrieve and act on CRM data, emails, and Salesforce Flow automation triggers on behalf of users.
Researchers demonstrated a scenario in which malicious instructions embedded in a CRM record — such as a lead description or a case comment added by an external party — could hijack Agentforce's behavior when a sales or service agent asked the AI to analyze or summarize that record. The injected instructions could cause Agentforce to leak other records accessible to the agent user, or include crafted hyperlinks in AI-generated responses intended to harvest user credentials.
Salesforce patched the vulnerability by implementing stricter separation between instruction context and data context within the Agentforce execution pipeline. The fix was deployed server-side to all Salesforce tenants.
Why AI Agents Introduce New Attack Surface
Traditional application security is based on a clear separation: code executes instructions, and data is passively processed. AI agents collapse this distinction — they interpret natural language instructions and natural language data through the same model, making it structurally difficult to enforce boundaries between trusted instructions and untrusted content.
Key risk factors include:
- Agentic tool access: AI agents increasingly have access to email, calendars, documents, and databases — making successful injection attacks much more impactful than in traditional chatbot contexts
- Trust escalation: Enterprise deployments often grant AI agents elevated permissions to act on users' behalf, amplifying the blast radius of any injection
- Limited observability: Prompt injection attacks may not generate logs that traditional SIEM tools would flag, since the agent is executing a seemingly normal query
- Multi-step reasoning: Modern AI agents can chain multiple tool calls, meaning a single injected instruction can trigger a sequence of actions across multiple systems
Implications for Enterprise Deployments
Security teams deploying AI assistants like Microsoft Copilot or Salesforce Agentforce should treat externally-reachable content sources as untrusted inputs:
- Restrict agent data access to the minimum required — do not grant AI agents access to sensitive data repositories unless there is a clear business need
- Review system prompts to include explicit instructions about not following directives found in document content or CRM records
- Monitor agent activity logs for unusual output patterns, such as AI responses containing links to external domains or unexpectedly referencing unrelated records
- Apply the principle of least privilege to Copilot licenses — users who don't need access to broad SharePoint or email corpora should not have Copilot graph permissions over them
- Test your deployment with known prompt injection payloads against your AI-integrated data sources before granting broad enterprise rollout
Vendor Response
Both Microsoft and Salesforce responded quickly to the disclosures and deployed fixes without requiring end-user action. Neither company disclosed a CVSS score or CVE identifier for the underlying issues, consistent with how both vendors have historically handled LLM-specific security disclosures.
The researchers who identified the flaws were acknowledged by both vendors. Neither company disclosed whether the vulnerabilities were observed being exploited in the wild prior to patching.