Microsoft and Salesforce have both issued patches for prompt injection vulnerabilities in their respective AI agent platforms — Microsoft Copilot and Salesforce Agentforce — that would have allowed an external attacker to cause the AI agents to leak sensitive data from connected enterprise systems.
The flaws represent an emerging attack class specific to agentic AI systems: rather than exploiting code logic directly, attackers craft malicious content that manipulates the AI model's behavior when it processes that content during a task.
What Was Found
Security researchers identified prompt injection vulnerabilities in both platforms during the same general research period. Both flaws shared a common characteristic: an external party could influence AI agent behavior by embedding adversarial instructions in content that the agent would process during normal operation.
Microsoft Copilot
In Microsoft Copilot, the vulnerability allowed an attacker to craft a malicious document, email, or webpage. When a Copilot user asked the AI to summarize, analyze, or act on that content, hidden instructions embedded in the malicious content could redirect the agent to exfiltrate data from the user's Microsoft 365 environment — including emails, files, and calendar data — to an attacker-controlled destination.
Microsoft Copilot is deeply integrated into Microsoft 365 services and has access to enterprise data at the level of the authenticated user. This makes prompt injection attacks against Copilot particularly high-impact: a single successful injection can expose the entire corpus of data accessible to the targeted user's account.
Salesforce Agentforce
In Salesforce Agentforce, researchers found a similar injection path. Agentforce agents — which can access Salesforce CRM objects, run automations, and communicate via connected channels — could be manipulated by adversarial content in customer messages, support tickets, or external data feeds processed by the agent.
A successful exploitation would cause Agentforce to retrieve and transmit sensitive CRM data (such as customer records, opportunity details, or contact information) to locations specified by the attacker-controlled injection payload.
Why Prompt Injection Is Difficult to Prevent
Unlike traditional injection attacks (SQL injection, command injection), prompt injection targets the AI model's instruction-following behavior rather than a deterministic parser with well-defined syntax rules. This creates unique defensive challenges:
| Traditional Injection | Prompt Injection |
|---|---|
| Exploits parser logic | Exploits model instruction-following |
| Fixed syntax boundaries | Fluid natural language — no clear delimiter |
| Detectable via pattern matching | Requires semantic understanding to detect |
| Patched via input sanitization | Requires multi-layer controls |
Current mitigations include:
- System prompt hardening — Explicit instructions to the model not to follow instructions embedded in processed content
- Output filtering — Inspecting agent outputs for evidence of exfiltration patterns before they are executed
- Permission scoping — Restricting agent capabilities so they cannot send data to external endpoints without explicit user confirmation
- Content provenance tracking — Flagging content from external sources as untrusted before it reaches the agent's context window
Neither approach is fully reliable in isolation; defense-in-depth is required.
Patch Status
Both Microsoft and Salesforce have confirmed that the vulnerabilities have been addressed:
| Vendor | Platform | Fix Status |
|---|---|---|
| Microsoft | Copilot (Microsoft 365) | Patched — no user action required |
| Salesforce | Agentforce | Patched — no user action required |
As server-side AI platforms, both fixes were deployed by the vendors without requiring customers to update local software. Users of both platforms are automatically protected following the vendor-side remediation.
Recommendations for AI Platform Administrators
Despite the patches, organizations using AI agents with broad data access should review their deployment configurations:
- Audit AI agent permissions — Apply least-privilege to all AI agent service accounts; agents should only access data required for their specific functions
- Enable agent action logging — Ensure all AI agent actions (data reads, external communications, automations triggered) are logged and reviewable
- Implement human-in-the-loop checkpoints for high-risk agent actions such as sending emails, creating records, or transmitting data externally
- Monitor for anomalous agent behavior — Unexpectedly large data retrievals or outbound requests to unfamiliar URLs may indicate exploitation
- Restrict external content processing — Where possible, prevent AI agents from processing unvetted content from external parties (public web, anonymous customer messages) without sandboxing
Broader AI Security Context
These disclosures are part of a broader pattern of security research exposing prompt injection as a fundamental risk class for agentic AI systems. As organizations increasingly deploy AI agents with privileged access to enterprise data — email, CRM, code repositories, financial systems — the attack surface for prompt injection grows proportionally.
Security researchers and vendors are working to establish standards for AI agent security, including proposed frameworks from OWASP (the LLM Application Security Top 10) and emerging NIST guidance on AI system risk management. The OWASP LLM Top 10 lists prompt injection as the #1 risk for large language model applications.
For organizations evaluating or expanding AI agent deployments, security architecture reviews should treat prompt injection as a first-class concern alongside traditional authentication and authorization controls.