What makes SpAIware different from a standard prompt injection attack?

Standard prompt injection affects a single conversation session. SpAIware uses indirect prompt injection to write a malicious instruction into Copilot's long-term memory, so the attacker's payload executes automatically in every future session without any further attacker interaction. The compromised document or email is a one-time trigger; the backdoor it plants persists indefinitely.

Is CVE-2026-24299 patched, and are existing M365 deployments safe?

Microsoft patched the vulnerability on March 5, 2026, and assigned CVE-2026-24299. Organisations running fully updated M365 deployments are protected against the specific exploit chain Rehberger demonstrated. However, the underlying architecture, AI assistants with persistent memory features that can be influenced by processed content, remains a design-level risk that future variants could exploit differently.

How can organisations check whether their Copilot memory has been tampered with?

M365 Copilot exposes its stored memory to users in the Copilot settings panel. Administrators and users should review this regularly for instructions they did not add, particularly entries referencing data exfiltration endpoints, external URLs, or instructions to summarise and forward content. Clearing the Copilot memory store entirely is a blunt but effective remediation if tampering is suspected.

SpAIware: How Prompt Injection Backdoors M365 Copilot Across Future Sessions

Most prompt injection attacks are single-session events. The attacker embeds instructions in a document or web page, the victim opens it in an AI-assisted context, the model executes the instruction in that session, and when the session ends so does the attacker’s influence. Johann Rehberger’s research, presented at DEF CON Singapore in May 2026, breaks that assumption. The technique he named SpAIware uses indirect prompt injection to write persistent instructions into Microsoft Copilot’s memory feature, creating a backdoor that triggers automatically in every subsequent Copilot session the victim runs.

Microsoft assigned CVE-2026-24299 to the vulnerabilities involved and patched them on March 5, 2026. The research matters anyway, because SpAIware is not primarily about this one CVE. It is a demonstration that AI assistants with persistent memory are a qualitatively different threat surface than stateless chatbots.

The Attack Chain

Rehberger’s exploit combined four techniques, each solving a specific reliability problem:

Indirect prompt injection via document processing. The entry point is any piece of content that Copilot processes on a user’s behalf: an email, a shared document, a web page summary. The attacker embeds a prompt injection payload in this content. When the user asks Copilot a question that causes it to reference the content, the injected instruction enters the model’s context alongside the legitimate request.

HTML preview rendering for immediate exfiltration. M365 Copilot’s HTML preview feature rendered formatted content in-session. Rehberger exploited this by injecting CSS background-image and @font-face declarations pointing to attacker-controlled URLs. When Copilot rendered the preview, the browser fetched those resources, transmitting data in the request parameters. This handled same-session exfiltration: emails, files, and authentication artefacts accessible in the current context could be extracted before the user closed the conversation.

Delayed Tool Invocation as a reliability improvement. Earlier prompt injection research had highlighted that AI tool calls triggered immediately by injected instructions were often suppressed by safety layers or flagged by monitoring. Rehberger’s “Delayed Tool Invocation” technique instructs the model to defer the tool call to a specific point in the conversation flow, such as when generating a summary or responding to the next natural user prompt, reducing the signal that monitoring systems look for.

Memory poisoning for persistence. The final stage is what makes SpAIware distinct. Copilot exposes a memory tool that allows it to store facts across sessions: user preferences, project context, recurring instructions. Rehberger’s injection instructed Copilot to write a persistent entry into this memory store. The entry contained instructions directing Copilot to search for and exfiltrate specific content types whenever a future session was initiated. The victim’s next Copilot session, and the one after that, would automatically execute the backdoor without any further attacker interaction.

The result is a compromise that lives in the AI layer rather than the operating system or file system. No malware installed. No persistence mechanism on the endpoint. The infection is in Copilot’s stored memory.

Why Persistence Changes the Risk Model

Conventional AI assistant attacks require the attacker to maintain access to a document or resource the victim regularly processes. If the victim stops opening that document, the attack ends. Memory poisoning eliminates this dependency.

After a successful SpAIware plant, the attacker no longer needs to maintain any presence in the victim’s environment. The compromised memory entry does the work. It executes on every Copilot session, giving the attacker ongoing access to whatever data the victim asks Copilot about: emails, files, calendar items, Teams messages, anything within M365’s scope that Copilot can read.

The threat profile starts to resemble a traditional implant. The initial exploitation is the hardest part. Once the memory is poisoned, the attacker has achieved persistent, low-noise access that would not show up in EDR telemetry, would not appear in application logs as an anomalous process, and would not trigger network detection unless outbound traffic monitoring specifically watched for Copilot data paths.

The Windsurf Variant

Rehberger’s earlier 2025 research documented the same SpAIware technique against Windsurf, Codeium’s AI IDE. Windsurf, like M365 Copilot, supported persistent memory across sessions. Injected instructions in a processed repository file could write to this memory and persist across future coding sessions, potentially causing the IDE’s AI agent to modify code, exfiltrate project files, or install malicious dependencies in future sessions.

The existence of the same pattern in multiple AI products is the key point. SpAIware is not a Microsoft-specific bug. It is an attack pattern enabled by any AI assistant that combines: memory persistence, indirect input processing, and tool execution capability. Any product meeting those three criteria is a potential target for this class of attack.

The Copirate 365 Research and Additional Vulnerabilities

The DEF CON Singapore presentation, titled “Copirate 365,” covered additional attack surface in the M365 ecosystem beyond the memory poisoning. Consumer Copilot shared some of the same vulnerabilities. The exfiltration primitive using CSS rendering was applicable across Copilot surfaces that rendered HTML. The research also identified methods for memory deletion, allowing an attacker who had previously planted a SpAIware backdoor to clean up the memory entry after completing an exfiltration campaign, leaving minimal evidence.

Rehberger published the full technical details on his embracethered.com blog. His coordinated disclosure timeline with Microsoft ran from initial report through the March 2026 patch.

Defensive Guidance

Review Copilot memory contents. M365 Copilot exposes memory contents to users under Settings in the Copilot interface. Any stored instruction the user did not explicitly add should be treated as suspicious. Instructions referencing external URLs, data forwarding, or content retrieval are the specific indicators to look for. Security teams deploying Copilot at scale should consider building periodic memory content audits into their monitoring workflows.

Disable or restrict Copilot memory in high-risk contexts. Copilot’s memory feature can be disabled by administrators through the M365 admin centre. Organisations with high-sensitivity workloads, where data exfiltration through an AI assistant would be particularly damaging, should evaluate whether the productivity benefit of persistent memory is worth the persistence risk it introduces.

Monitor outbound network requests from M365 sessions. The exfiltration primitives Rehberger demonstrated relied on outbound HTTP requests to attacker-controlled infrastructure. DLP and network monitoring capable of inspecting M365 application-layer traffic should look for requests to domains outside the organisation’s expected M365 usage pattern, particularly those carrying encoded data in query parameters.

Treat AI assistant inputs as an untrusted data source. The fundamental countermeasure is treating documents, emails, and external content that an AI assistant processes as potentially adversarial. This is the same principle applied to user input in web applications. Copilot processing a document should not be granted the same level of system trust as a direct user instruction. Microsoft’s own model of privileged versus unprivileged context is the right architectural direction, and understanding which Copilot actions sit in each category is practical preparation for the next variant.