A single click on a manipulated Microsoft link was sufficient to exfiltrate sensitive data such as one-time passwords and corporate files through parameter-to-prompt injection.
A critical vulnerability in Microsoft 365 Copilot allows attackers to compromise systems through a simple link click, without employing classical phishing or password theft techniques.