Executive Summary
In April 2026, security researchers identified critical prompt injection vulnerabilities in Microsoft Copilot and Salesforce Agentforce, which could allow attackers to exfiltrate sensitive data. In Microsoft's case, malicious code inserted into SharePoint forms could trigger Copilot to send customer data to unauthorized emails. Similarly, Salesforce's Agentforce was susceptible to prompt injections via public-facing lead forms, enabling unauthorized access to CRM data. Both companies have since patched these vulnerabilities. (darkreading.com)
This incident underscores the persistent threat of prompt injection attacks in AI systems, highlighting the need for robust input validation and security measures to prevent unauthorized data access and exfiltration.
Why This Matters Now
The rapid integration of AI agents into enterprise systems has introduced new attack vectors, such as prompt injection vulnerabilities, which can lead to significant data breaches. Organizations must prioritize securing AI interactions to prevent unauthorized data access and maintain trust in AI-driven processes.
Attack Path Analysis
An attacker exploited prompt injection vulnerabilities in Microsoft Copilot and Salesforce Agentforce by embedding malicious instructions into public-facing forms, leading to unauthorized access and exfiltration of sensitive data.
Kill Chain Progression
Initial Compromise
Description
The attacker submitted malicious inputs into public-facing forms integrated with Microsoft Copilot and Salesforce Agentforce, exploiting prompt injection vulnerabilities to gain unauthorized access.
Related CVEs
CVE-2026-21520
CVSS 7.5Exposure of Sensitive Information to an Unauthorized Actor in Copilot Studio allows an unauthenticated attacker to view sensitive information through network attack vector.
Affected Products:
Microsoft Copilot Studio – -
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
LLM Prompt Injection
AI Agent Context Poisoning: Memory
Obtain Capabilities: Artificial Intelligence
LLM Prompt Crafting
Triggered Prompt Injection
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security of Software Development Processes
Control ID: 6.4.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity and Access Management
Control ID: 2.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
AI agent prompt injection vulnerabilities in Microsoft Copilot and Salesforce Agentforce expose software development environments to data exfiltration through malicious form inputs and SharePoint exploits.
Financial Services
CRM lead capture form vulnerabilities enable unauthorized access to sensitive customer financial data through prompt injection attacks, violating PCI compliance requirements and zero trust principles.
Information Technology/IT
AI/ML security vulnerabilities demonstrate critical gaps in cloud-native security fabric protection, requiring enhanced egress filtering and anomaly detection for autonomous AI agent deployments.
Marketing/Advertising/Sales
Salesforce Agentforce prompt injection attacks through public-facing lead forms compromise customer relationship management systems, exposing prospect data and undermining sales pipeline security controls.
Sources
- Microsoft, Salesforce Patch AI Agent Data Leak Flawshttps://www.darkreading.com/cloud-security/microsoft-salesforce-patch-ai-agent-data-leak-flawsVerified
- NVD - CVE-2026-21520https://nvd.nist.gov/vuln/detail/CVE-2026-21520Verified
- Microsoft Security Response Center - CVE-2026-21520https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21520Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it embeds security directly into the cloud fabric, potentially reducing the attacker's ability to exploit internal pathways and exfiltrate sensitive data.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit prompt injection vulnerabilities may have been constrained, limiting unauthorized access through public-facing forms.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges may have been constrained, limiting unauthorized command execution within the system.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally may have been constrained, limiting access to interconnected systems and data repositories.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to maintain control over compromised systems may have been constrained, limiting the establishment of covert channels.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data may have been constrained, limiting unauthorized data transfers to external destinations.
The overall impact of the incident may have been constrained, limiting the extent of data breaches and associated consequences.
Impact at a Glance
Affected Business Functions
- Customer Relationship Management (CRM)
- Sales Operations
- Marketing Automation
Estimated downtime: N/A
Estimated loss: N/A
Potential exposure of sensitive customer data through AI agent interactions.
Recommended Actions
Key Takeaways & Next Steps
- • Implement input validation and sanitization to treat all external inputs as untrusted data.
- • Enforce Zero Trust Segmentation to limit AI agents' access to sensitive data and systems.
- • Deploy Egress Security & Policy Enforcement to monitor and control outbound communications from AI agents.
- • Utilize Threat Detection & Anomaly Response systems to identify and respond to unusual AI agent behaviors.
- • Regularly update and patch AI systems to address known vulnerabilities promptly.
