Security Risks Uncovered in Enterprise AI: Potential for Data Exfiltration
Recent findings have alarmingly highlighted the vulnerabilities inherent in enterprise AI agents, which are intended to enhance workflow efficiency but could instead pose significant security risks. Security researchers have identified concerning prompt-injection vulnerabilities in both Microsoft Copilot Studio and Salesforce Agentforce, demonstrating how attackers might exploit these systems to execute malicious instructions disguised within seemingly innocent prompts.
According to research conducted by Capsule Security, two particular issues have emerged from Microsoft’s Copilot. These primarily involve SharePoint forms and public-facing lead forms, which can be manipulated by attackers. By issuing prompts that override the system’s intended functionality, attackers can initiate data exfiltration, funneling sensitive information to externally controlled servers. One such security flaw has already been categorized as a high-severity Common Vulnerability and Exposure (CVE), while another, deemed “critical,” is yet to receive formal categorization. These vulnerabilities have troubling implications, potentially allowing the theft of personally identifiable information (PII), customer and lead records, business context, and operational data.
In their disclosures, Capsule researchers pointed out that the inherent flaw lies in the way these AI agents interpret untrusted user inputs as legitimate system instructions. This critical oversight raises concerns regarding how AI systems manage and prioritize input data. The findings shared with CSO prior to their official publication suggest that the security protocols in place are insufficient to safeguard against such vulnerabilities.
ShareLeak: Insights into Microsoft’s Copilot Vulnerabilities
The issue identified in Microsoft’s Copilot Studio, termed "ShareLeak," specifically revolves around the processing of SharePoint form submissions. The attack begins when an assailant inserts a carefully crafted payload into a standard form field, commonly found in areas such as the "comments" section. The AI agent subsequently incorporates this malicious input into its operational context.
Due to the system’s tendency to concatenate user input with existing system prompts, the injected payload effectively overrides the original instructions intended for the agent. Consequently, the model is deceived into perceiving the assailant’s malicious instructions as legitimate commands. As a result, the compromised agent gains access to connected SharePoint Lists, allowing it to extract sensitive customer details—names, addresses, phone numbers—and send this information externally via email.
Even when heightened security measures flagged the suspicious behavior of data exfiltration attempts, the agents proceeded with transmitting sensitive information. The researchers attribute this vulnerability to the absence of a reliable distinction between trusted system commands and untrusted user data.
In response to these revelations, Microsoft patched the vulnerability, designating it as CVE-2026-21520. The issue was rated at 7.5 out of 10 on the Common Vulnerability Scoring System (CVSS) scale, prompting an internal mitigation process that required no additional action from users.
PipeLeak: The Salesforce Agentforce Exploit
Meanwhile, the situation with Salesforce’s Agentforce displays a similar pattern. Attackers can embed malicious instructions within a public-facing lead form. When an internal user later prompts the agent to review or process that lead, the malicious instructions embedded in the form are executed as if they were part of the agent’s original task.
Capsule’s demonstrations showed that the agent can retrieve customer relationship management (CRM) data using the “GetLeadsInformation” function and send this information to external recipients via email. Alarmingly, this breach doesn’t restrict the compromise to a single record. The researchers illustrated that a compromised agent could systematically query and exfiltrate multiple lead records in a single operation, effectively converting a routine form submission into a substantial database extraction effort.
Salesforce has acknowledged the presence of the prompt injection issue yet described the exfiltration vector as “configuration-specific,” suggesting it is contingent upon optional human-in-the-loop (HITL) controls. However, Capsule Security has challenged this characterization, asserting that requiring human intervention contradicts the very objectives that autonomous agents are designed to achieve.
The underlying concern, as noted by the researchers, is about the insecure defaults in these systems. Automated solutions ought to be engineered such that untrusted inputs cannot redefine the goals of agent functionality.
Both findings underscore a vital need for a fundamental shift in how external inputs are treated within AI systems. Researchers advocate for protocols that classify all external inputs as untrusted, accompanied by robust filters designed to separate data from instructions effectively. This comprehensive approach would necessitate implementing strict input validation, enforcing least-privilege access, and establishing rigorous controls on actions, particularly regarding outbound email communications.
The revelations surrounding these AI agents serve as a stark reminder of the security responsibilities organizations must undertake as they increasingly rely on automation to enhance productivity. The dual roles of enterprise AI as both a valuable asset and potential vulnerability challenge stakeholders to reassess their security strategies to safeguard sensitive data.