A detailed writeup of a DEF CON Singapore talk covering a chain of vulnerabilities in Microsoft 365 Copilot and Consumer Copilot (CVE-2026-24299). The research demonstrates: (1) HTML preview as a data exfiltration channel via CSS font-face bypass, (2) Delayed Tool Invocation to plant instructions for later execution, (3) hijacking M365 Copilot's long-term memory via indirect prompt injection to write false or malicious memories, and (4) combining persistence with data exfiltration into a 'SpAIware' backdoor. The attack chain allows an attacker to silently exfiltrate emails, passwords, and other sensitive data from any future Copilot conversation after a one-time compromise. All issues were patched by Microsoft in early 2026. Key takeaways include the dangers of auto-committing memories without audit logs, the unreliability of CSP as a security boundary across Copilot hosting environments, and the need for explicit security contracts for AI widgets.
Table of contents
ContentsIntroductionPreface: A long, long time ago…Chapter 1: HTML Preview as Exfiltration ChannelChapter 2: Delayed Tool InvocationChapter 3: M365 Copilot Got Memory!Chapter 4: SpAIware (Persistence + Data Exfil)Encore: Hacking Consumer CopilotEpilogue: Take-awaysDisclosure TimelineReferencesSort: