Microsoft Warns of Nation-State Prompt Injection Campaigns Targeting AI Assistants and Copilots

Microsoft detailed how multiple nation-state threat actors are experimenting with prompt injection to manipulate AI assistants and Copilot-style tools used in enterprises.[rich_content:2] The report describes scenarios where malicious content in emails, SaaS documents, and websites is crafted to override system instructions, leading to data leakage, phishing amplification, and unauthorized actions through connected tools.[rich_content:2] Microsoft introduced new content labeling, isolation, and grounding safeguards and urged organizations, including SMBs and SaaS providers, to treat untrusted AI inputs as an attack surface.[rich_content:2]

Microsoft reports that multiple nation-state threat actors are experimenting with prompt injection by embedding malicious instructions into emails, SaaS documents, and websites to manipulate enterprise AI assistants and Copilots, causing system prompts to be overridden and leading to data leakage, phishing amplification, and unauthorized actions via connected tools.[1] Microsoft also describes new safeguards such as content labeling, isolation, and grounding, and urges organizations, including SMBs and SaaS providers, to treat untrusted AI inputs as part of their attack surface.[1] From a CyberSE.AI perspective, this is a clear case of indirect prompt injection against AI agents that have tool and data access, requiring secure agent design, targeted red teaming of AI workflows, and business logic audits to prevent unintended actions or data exposure when assistants process untrusted content. Organizations should systematically assess where AI agents consume external content, define strict tool-use and data-access policies, and implement continuous testing and governance to keep these controls effective as attackers evolve.