CVE-2026-24299 Copirate 365: M365 Copilot Memory Poisoning via Chained Prompt Injection and CSS Exfiltration

Chained attack on M365 Copilot: indirect prompt injection exploits CSS font-face CSP bypass to exfiltrate data, then poisons persistent memory — compromising every future conversation with no audit trail.

Microsoft 365 CopilotCredential exposurePersistent agent memory poisoning / data exfiltrationM365 Copilot memory layer / all future user conversations

What happened

Attacker embeds indirect prompt injection in an innocuous-looking document (e.g., an Einstein biography). When Copilot previews it, CSS @font-face requests leak sensitive context to an attacker-controlled server. A binary user response ('yes'/'no') triggers memory poisoning via record_memory, planting a persistent backdoor.

Why it matters

All future M365 Copilot conversations for the affected user rendered HTML previews containing font requests encoding sensitive data (emails, Teams messages, SharePoint documents, credentials) to attacker infrastructure. No audit trail was generated for the memory write in Microsoft Purview.

Missing authorization check

Writes to the Copilot memory store should require an explicit authorization receipt signed by the user. The record_memory tool had no audit hook and no external gate — it was callable by any prompt injection without any user-observable confirmation.

Would PP block it?

PP covers the memory poisoning vector: a tool-call gate requiring a signed receipt for any record_memory invocation would block the backdoor installation. The initial data exfiltration via CSS font-face requests is a rendering-layer issue that PP does not currently address — that requires a CSP enforcement fix on Microsoft's side. Full coverage needs both: PP for memory writes, vendor-side CSP for exfiltration.

Incident analysis

Timeline and technical read

Timeline

2025-10-16
CSS exfiltration via background-image disclosed to Microsoft MSRC
2025-11-19
Full chained PoC (HTML exfiltration + memory poisoning + persistent backdoor) shared with MSRC
2025-12-06
Microsoft patches memory modification via record_memory
2026-03-05
Microsoft patches HTML preview exfiltration (CVE-2026-24299 fully resolved)
2026-06-12
Full attack chain presented publicly at DEF CON Singapore as 'Copirate 365'

Technical breakdown

CSS @font-face src: url() bypassed the img-src CSP allowlist because font-src was more permissive across M365 hosting environments — a subtle cross-origin exfiltration channel invisible to content scanners.
Prompt injection was embedded in document content (e.g., an Einstein biography) and relied on delayed tool invocation — the malicious instruction activated only after a binary user response, evading real-time injection detectors.
The record_memory tool was on by default with no Purview audit hook — memory writes generated zero log entries, making forensic detection impossible without manual user inspection.
Memory poisoning created a persistent backdoor: all future Copilot sessions for the affected user automatically rendered HTML previews that encoded and exfiltrated any sensitive content the user interacted with.
The attack surface spanned every M365 Copilot entry point (BizChat, Word, Excel, Outlook, SharePoint, copilot.microsoft.com) and required only that a user open a malicious document and provide any binary response.

Authorization boundary

Where the authorization boundary should have been

This incident is categorized as Credential exposure. The relevant Permission Protocol gate is Tool-Call Gate. The read is conditional: the block only applies where the real action boundary is routed through a gate.

If enforced at: Tool-call layer (record_memory), rendering layer (CSP)
Still needs: CSS-based rendering exfiltration is outside PP's enforcement surface; PP gates tool calls, not HTTP requests from the rendering engine
Receipt required for: Any write to persistent agent memory (record_memory or equivalent) that affects future sessions

PP's tool-call gate enforced externally to the M365 Copilot runtime would require a signed receipt before record_memory writes. This breaks the persistence step. The CSS exfiltration via font requests falls outside PP's current enforcement surface.

Lessons for teams

Agent memory is a high-value persistence target: any tool that writes to durable memory affecting future sessions must be treated as a privileged action requiring an external authorization gate.
CSP allowlists must be audited across all hosting environments — a single more-permissive context (font-src vs img-src) is enough to defeat sanitization designed for the restrictive case.
Audit logging gaps are a governance gap, not just an observability gap: the absence of Purview entries for record_memory meant there was no signal to trigger incident response.
Delayed tool invocation defeats real-time injection detection — defense must include retrospective analysis of what tools were actually called and when, not just prompt-time scanning.
Default-on capabilities with no audit trail are a structural risk in enterprise AI: if the user cannot see what was written to memory, they cannot detect or remediate a compromise.

Related incidents and controls

High2025-10-08

CamoLeak: GitHub Copilot Flaw Allowed Silent Data Theft

Critical2025-12-29

Copilot Studio Connected Agents Feature Enables Silent AI Backdoors With Zero Audit Trace — Enabled by Default on All New Agents

High2026-05-27

Oasis Security chains three Claude.ai vulnerabilities into silent data exfiltration — no integrations required

Tool-Call Gate Permission Receipt

Start small

Put the relevant gate at this action boundary.

This incident maps to Tool-Call Gate. Start with the boundary that controls the actual action, then require a signed receipt before execution.

Replay this incident with a signer in the loop