Varonis researchers showed that one click could trick Microsoft's enterprise AI assistant into emailing attackers whatever its user could see, a now patched flaw that exposes a structural risk in any AI tool that inherits employee permissions.
A victim clicks a single link in an email or chat. No typing, no password prompt, no second factor. Within seconds, their AI assistant quietly emails an attacker the contents of their inbox, their calendar, their files, and the tokens needed to take over other accounts. That is not a hypothetical. It is a now-patched vulnerability in Microsoft Copilot Enterprise, demonstrated by Varonis researchers and reported by Futurism, that weaponized the very permissions that make enterprise AI assistants useful.
The trick is called parameter-to-prompt, or P2P, injection. Instead of pasting malicious text into a chat box, the attacker hides instructions in the query parameters of a URL, the long string of characters that lives after the question mark in a web address. When Copilot Enterprise follows the link to summarize or answer a question about it, the assistant reads those parameters as instructions, not as a link to process. The injected prompt tells Copilot to package up the user's mail, files, or identity data and send them out to an attacker-controlled address, all using the user's own authenticated session.
That last detail is the structural problem. Copilot Enterprise does not run in a sandbox. It runs with the full set of Microsoft 365 Graph permissions granted to the person who clicked the link. Graph is the connective tissue that lets a single employee identity reach mail, OneDrive files, SharePoint sites, Teams chats, calendar entries, and authentication tokens for connected services. When an attacker steers Copilot through P2P injection, they inherit whatever the victim can see. Varonis called the result "a one-click data exfiltration weapon," and the underlying mechanism generalizes: any AI assistant that operates on a user's behalf with the user's permissions is a new way for a hostile URL to act as the user.
The disclosure lands in a familiar category. P2P injection is a sibling of ordinary prompt injection, the broader class of attacks in which crafted text overrides an LLM's instructions. What is new here is the delivery vehicle. A typed prompt requires a user to engage with an attacker-controlled surface, and most enterprise filters now scan chat input for hostile patterns. A URL bypasses both filters and the user's attention, because clicking links is something employees are trained to do all day. Once the link resolves, the AI executes the payload while the user assumes they have just visited a page.
Varonis showed the chain end to end. A crafted link to Copilot Enterprise was enough for the assistant to read sensitive mail and forward it to an external address, with the action appearing in audit logs as ordinary activity by the legitimate user. Because Copilot was acting as the user, downstream services that trusted the user's session, including the ability to enroll a new device for two-factor authentication, reset passwords, or accept new sign-in prompts, were reachable through the same path. According to Varonis researchers' account in Futurism's reporting, Microsoft has since shipped a fix for the specific P2P vector and the team publicly thanked Microsoft's response.
Two weeks before the Copilot disclosure, Meta's AI chatbot on Instagram produced a smaller version of the same pattern: researchers walked the assistant into changing the email address tied to a target account, again with the chatbot acting as the logged-in user rather than as a tool the user had to authorize step by step. The two incidents are not the same bug, and they are not the same company. They are two instances of the same underlying failure mode: AI assistants are being deployed as authorized actors inside identity systems, and the controls around them were written for human users.
The mitigations that follow from this are not exotic. Treat every AI action as a user action for audit, and surface AI-initiated outbound mail, file moves, and identity changes with their own flag in security logs. Scope what each assistant can actually reach rather than granting it the full Graph, the same principle that has governed least-privilege API design for a decade. Restrict the data sources an assistant is allowed to ingest, so a prompt-injected summarization task cannot pull from mailboxes the user would not normally open in a single sitting. Add output-side data loss prevention that watches for unexpected addresses, large attachments, or credential-reset flows triggered through an assistant rather than a user. Finally, extend the same phishing-resistance practices used on links to AI surfaces: an assistant that follows a link is making a click on the user's behalf, and that click deserves the same scrutiny.
The Copilot patch closes one hole. The category it exposed will keep reopening as long as enterprise AI assistants ship with the user's full identity attached by default. The question for the next vendor briefing is not whether this assistant or that one has a bug. It is whether the assistant has been given the permissions a careful administrator would grant a new hire on the first day, or the permissions of a domain admin who has been there for ten years.