A now-patched vulnerability in Microsoft 365 Copilot allowed attackers to steal sensitive data using ASCII smuggling, a technique that hides invisible data within clickable links. The attack involved prompt injection and tool invocation, enabling the exfiltration of data such as MFA codes to third-party servers. Proof-of-concept attacks showed that similar vulnerabilities could manipulate AI tools like Copilot for spear-phishing and bypassing security measures. Microsoft has fixed the issue and recommends that enterprises strengthen security controls to prevent such risks.