# Microsoft and Salesforce Patch Critical AI Agent Data Leak Vulnerabilities


Two major cloud platform providers have quietly patched severe security flaws in their artificial intelligence agent systems that could have allowed external attackers to extract sensitive corporate data through prompt injection attacks. The vulnerabilities, discovered in Salesforce Agentforce and Microsoft Copilot, represent a growing class of threats targeting the expanding ecosystem of AI-powered business automation tools.


## The Threat


The recently remediated flaws exposed a critical attack surface: prompt injection vulnerabilities in AI agents designed to automate business processes and interact with enterprise systems. By crafting specially-formed inputs, attackers could manipulate these AI systems to bypass security controls and exfiltrate confidential information.


Both vulnerabilities share common characteristics:

  • External accessibility — attackers could trigger the exploits remotely without authentication
  • Data exposure scope — potential access to sensitive business data, customer information, and system credentials
  • Silent exploitation — attacks could potentially occur without triggering traditional security alerts
  • Chain-of-custody bypass — AI agents would execute unauthorized actions while appearing to operate normally

    • The discovery of these flaws underscores a fundamental challenge in deploying AI agents at scale: the difficulty of securing systems that are designed to process natural language input and execute complex workflows with broad system access.


    ## Background and Context


    ### AI Agents in Enterprise Environments


    Salesforce Agentforce and Microsoft Copilot represent a new generation of AI-powered tools intended to automate knowledge work. These systems are trained to:

  • Process customer inquiries and support requests
  • Access databases and business intelligence systems
  • Execute workflows across integrated applications
  • Generate reports and summaries from proprietary data

    • Organizations have rapidly adopted these tools because they promise significant productivity gains. However, their design — accepting open-ended natural language input and integrating deeply with enterprise systems — creates novel security challenges that traditional application security practices don't fully address.


    ### Prompt Injection: A Growing Attack Class


    Prompt injection attacks are not new, but their application to enterprise-grade AI systems represents an escalating threat. Unlike traditional application vulnerabilities that exploit code execution flaws, prompt injection manipulates an AI system's behavior by embedding hidden instructions within seemingly legitimate input.


    Common prompt injection techniques include:

  • Direct injection — embedding malicious commands directly in user input
  • Indirect injection — planting instructions in data sources the AI reads (documents, database fields, web pages)
  • Chaining — combining multiple prompts to gradually expand AI capabilities
  • Jailbreaking — bypassing safety guardrails through social engineering of the language model

    • ## Technical Details


    ### Salesforce Agentforce Vulnerability


    Salesforce's Agentforce system allows agents to connect to CRM databases, email systems, and customer communication channels. The patched vulnerability enabled attackers to inject prompts that would cause Agentforce agents to:

  • Retrieve customer records without authorization checks
  • Expose personally identifiable information (PII) and transaction history
  • Access internal notes and sensitive account details
  • Potentially execute actions on behalf of users

    • The flaw did not require a valid Salesforce account or access credentials. An attacker could craft a malicious message to a customer-facing Agentforce agent, embedding hidden instructions that would cause the agent to disclose information to the attacker's communication channel.


    ### Microsoft Copilot Vulnerability


    Microsoft's Copilot system, integrated across Office 365, Dynamics, and Azure environments, faced a similar issue. The vulnerability allowed attackers to construct inputs that would manipulate Copilot instances to:

  • Extract sensitive documents from SharePoint and OneDrive
  • Expose user credentials stored in configuration systems
  • Access internal communications and email archives
  • Exfiltrate data to external storage or communication channels

    • The attack required minimal sophistication — in some cases, a simple email or message embedded with injection commands would suffice.


    ### Root Cause Analysis


    Both vulnerabilities stemmed from insufficient input sanitization and instruction hierarchy:


    | Vulnerability Factor | Description |

    |---|---|

    | Insufficient input validation | Systems did not adequately distinguish between legitimate user input and hidden instructions |

    | Unclear instruction precedence | System prompts conflicted with embedded attacker prompts without clear resolution mechanisms |

    | Over-broad AI permissions | Agents had access to sensitive systems without granular authorization enforcement |

    | Lack of data boundary enforcement | No clear separation between data agents could access internally vs. return to users |


    ## Implications for Organizations


    ### Immediate Risk


    Organizations using Salesforce Agentforce or Microsoft Copilot in production environments need to understand the window of potential exposure:


    Risk factors:

  • How long were these systems deployed before the patch was available?
  • Did log data capture suspicious queries that might indicate exploitation?
  • What systems and data did the affected agents have access to?
  • Were any alerts or anomaly detection systems in place?

    • ### Broader Security Implications


    These vulnerabilities illuminate three critical gaps in enterprise AI security:


    1. AI Governance Gaps

    Most organizations lack mature policies for AI system deployment. Few have:

  • Security reviews specific to AI agents
  • Clear authorization boundaries for AI systems
  • Audit logging of AI decision-making
  • Incident response procedures for AI compromise

    • 2. Authentication and Authorization Challenges

    Traditional access controls assume human users with stable identities. AI agents complicate this model:

  • Agents may act with the privileges of their deployment account rather than the user requesting action
  • Service accounts often have broad permissions that are inappropriate for conditional grant to AI
  • Multi-factor authentication doesn't protect against compromised AI systems

    • 3. Detection Capability Deficiency

    Prompt injection attacks can be difficult to distinguish from legitimate behavior:

  • Unusual data access may not trigger alerts designed for traditional attack patterns
  • Natural language queries don't obviously flag as security violations
  • Attack success may be silent — data is simply copied rather than systems being disrupted

    • ## Recommendations


    ### For Organizations Using These Platforms


    Immediate Actions:

  • Apply security patches immediately to all Salesforce Agentforce and Microsoft Copilot deployments
  • Review agent access permissions and reduce to least-privilege where possible
  • Audit logs from the vulnerable period for signs of suspicious data access
  • Implement or strengthen data access logging and alerting

    • Medium-Term Measures:

  • Establish AI security governance policies before deploying additional AI agents
  • Implement rate limiting and anomaly detection on AI data access
  • Use separate service accounts for AI agents with limited permissions
  • Segment sensitive data from AI-accessible systems where feasible
  • Conduct security reviews of AI agent deployments similar to traditional application security reviews

    • Long-Term Strategic Changes:

  • Advocate for vendors to implement instruction hierarchy mechanisms that prevent hidden prompts from overriding system policies
  • Adopt AI security frameworks and maturity models
  • Build security monitoring capabilities specifically designed for AI system behavior
  • Train security and development teams on prompt injection attack vectors

    • ### For Vendors and Platform Providers


    The security community has identified best practices for hardening AI agents against injection attacks:


  • Explicit instruction boundaries — clearly separate system instructions from user input with cryptographic signing or other mechanisms
  • Output filtering — validate that AI system outputs match expected data types before returning to users
  • Least-privilege architecture — require explicit delegation of permissions rather than granting broad system access
  • Transparent decision logging — record what data AI systems accessed and why
  • Regular adversarial testing — conduct prompt injection penetration tests before release

    • ## Conclusion


    The Salesforce and Microsoft vulnerabilities represent a wake-up call for enterprises deploying AI agents in production environments. As organizations accelerate AI adoption to drive productivity, they cannot sacrifice the security controls that protect sensitive business data and customer information.


    The transition from traditional applications to AI-driven systems will require evolution in how organizations think about security. Prompt injection attacks will likely become a routine exploit vector — security teams must adapt their detection and response capabilities accordingly, while vendors must prioritize security in AI system architecture from the design phase onward.


    Organizations should treat these patches as a catalyst to mature their AI security practices before the next — inevitable — vulnerability is discovered.