system: OPERATIONAL
← back to all hacks
PROMPT INJECTION CRITICAL NEW

Drive-by prompt injection: a website could silently command Copilot on mobile

Microsoft patched a critical flaw on 14 July 2026 in which a malicious webpage could make Edge for Android fire hidden prompts at the Copilot app — no confirmation, no origin check.

2026-07-17 // 6 min affects: microsoft-365-copilot, microsoft-edge, copilot

What is this?

On 14 July 2026, as part of a record-setting Patch Tuesday, Microsoft disclosed and fixed a critical flaw in its mobile Copilot assistant. Rated 9.6 on the CVSS scale — among the most severe entries of the month — the vulnerability let a malicious website drive Copilot without the user’s knowledge. It was reported privately by Ofek Levin of the security firm Enclave, was not public before the patch, and, according to Microsoft, was never exploited in the wild and does not appear on any known-exploited list.

The interesting part is the delivery path. This is not a jailbreak of the model or a poisoned document pulled in at runtime. It is a plumbing failure at the boundary between a mobile browser and a mobile AI app: one component accepted prompt requests from another without asking for confirmation and without checking where they came from. Microsoft classifies the underlying weakness as command injection (improper neutralization of special elements used in a command). We treat it as a defensive case study in what happens when an AI assistant trusts its input channel too much.

How it works

Microsoft’s advisory describes a chain that requires nothing from the victim beyond opening a web page in Microsoft Edge for Android.

Malicious page  -> victim simply visits it in Edge for Android
Crafted request -> the page induces Edge to send prompts to the Copilot app
No gatekeeping  -> receiving component accepts them, unconfirmed, origin unchecked
Copilot acts    -> attacker-chosen prompts run as if the user had typed them

The core defect is the missing gate between the two apps. The component that received prompt requests did not prompt the user to confirm the action and did not verify the origin of the request, so instructions crafted by an attacker-controlled page were processed as though they came from the legitimate user. Microsoft states the result could be unintended actions in Copilot, such as reading or changing data — the assistant carrying out whatever the injected prompt asked, within the permissions the user’s Copilot already holds.

There is a documented ambiguity worth flagging honestly: the advisory names Microsoft 365 Copilot for iOS and Android as the affected products, yet the attack narrative mentions only Edge for Android, and the linked updates point to Microsoft Edge in the app stores rather than to a Copilot build. Microsoft did not name a specific fixed version number. We are not publishing any payload or reproduction detail; the mechanism — an inter-app request channel that treats unauthenticated, cross-origin input as trusted user intent — is the lesson.

Why it matters

Drive-by prompt injection is exactly the kind of attack the security community warned would arrive once assistants gained the ability to act. It combines two ingredients of the “lethal trifecta”: untrusted content (any web page) and an agent that can take consequential actions on the user’s behalf. What moves this from conference-talk hypothetical to a real Patch Tuesday line item is the zero-interaction delivery — no click on a link inside the page, no file to open, no extension to install. Visiting the page is enough.

The blast radius is bounded by what the mobile Copilot can already do for that user: read and write across the data and connectors it is signed into. For an enterprise deployment where Copilot reaches mail, files and chat, “reading or changing data” is not a trivial outcome. And because the trigger is a web visit rather than a phishing payload, traditional user-awareness controls (“don’t open attachments”) offer little protection. The good news is real: the flaw was found through responsible disclosure, patched before it went public, and rated less likely to be exploited. The lesson is durable regardless — assistant input channels are now part of the attack surface.

Defenses

Patch the client software. Because Microsoft tied the fix to app-store updates rather than a named build, the practical move is to keep both the Copilot app and Microsoft Edge current on every managed mobile device, via the Play Store on Android and the App Store on iOS.

Reduce mobile Copilot’s reach. Apply least privilege to what the assistant can touch on mobile — scope connectors, data access and any action-taking capability to what users genuinely need, so a hijacked prompt has less to work with.

Require confirmation for consequential actions. The root cause here was silent, unconfirmed request handling. Where you control agent configuration, insist on explicit human approval before an assistant reads or modifies sensitive data, rather than allowing background execution triggered by an external channel.

Treat inter-app and browser-to-assistant channels as untrusted input. Any path by which a web page or another app can hand instructions to an AI assistant should authenticate the source and validate the request, exactly as you would an API call from the internet.

Remove what you do not use. If mobile Copilot is not part of someone’s workflow, uninstalling it eliminates the surface entirely — a clean control for devices that never needed the assistant.

Status

ItemDetail
DisclosureReported privately by Ofek Levin (Enclave); disclosed and patched on Patch Tuesday, 14 July 2026 (CVE-2026-48561)
SeverityCVSS 9.6 (critical); classified as command injection
Affected (per advisory)Microsoft 365 Copilot for iOS and Android; attack narrative references Edge for Android
ExploitationNot public before the patch; Microsoft reports no exploitation; not on CISA KEV; rated “less likely”
Fix statusPatched; keep the Copilot app and Microsoft Edge updated via the app stores

Sources