Microsoft Copilot in SharePoint Exposes Sensitive Data Through AI Agent Exploits
PentestPartners Security researchers have discovered multiple vulnerabilities in Microsoft’s Copilot for SharePoint, allowing attackers to access sensitive corporate data, including passwords, API keys, and confidential files. These AI-powered agents, automatically deployed with Microsoft 365 Copilot licensing, can be queried to reveal restricted information, bypassing standard permissions. Attackers have successfully used Default Agents to extract content from files protected by “Restricted View” and even pull sensitive data without triggering SharePoint’s access logs. Because Copilot's activity isn’t reflected in “recent files” or “accessed by” history, it creates blind spots that traditional monitoring tools won’t catch. Social engineering prompts have proven effective in bypassing AI safeguards, and the ability to query large datasets quickly makes Copilot a high-value tool for malicious actors during intrusions. The threat becomes more serious with Custom Agents, which can be trained on broader datasets and given access to multiple sites, expanding the potential attack surface. In some cases, outdated permissions synced with Copilot allowed unauthorized data access even after permissions had been revoked. Researchers also found that Copilot can be manipulated to summarize or extract the contents of sensitive documents, giving attackers access without downloading files directly. These findings point to tighter control over where agents are deployed, how they’re approved, and what data they can access. Experts urge organizations to improve SharePoint hygiene, restrict agent creation, monitor agent activity, and avoid storing sensitive information in accessible SharePoint locations. As AI integration deepens, these risks will only grow unless security policies evolve to address the new attack vectors introduced by automated assistants.
Steganography-Based Ransomware Campaign Uses JPEGs to Deliver Undetectable Malware
Security researchers have identified a sophisticated, multi-stage ransomware campaign that leverages steganographic techniques to embed malicious code within seemingly harmless JPEG images. Known as stegomalware, this method involves hiding PowerShell scripts within image files' metadata or pixel data, making the code virtually invisible to traditional antivirus and detection tools. The attack typically begins when a victim receives an image file via phishing emails, social media platforms, or compromised websites. The image appears harmless, but once opened, a secondary payload—usually a macro-enabled Office document—is triggered to extract and execute the embedded PowerShell. This script then downloads another JPEG file containing a Base64-encoded [.]NET assembly hidden between specific markers. That assembly is decoded and executed in memory, delivering the final ransomware payload while avoiding direct disk writes and detection by conventional endpoint solutions. The campaign is designed to evade detection at every stage. Using images and document macros as the delivery mechanism blends in with common user behavior, making it less likely to trigger suspicion. Once the ransomware is deployed, it encrypts files and establishes communication with remote command-and-control servers, allowing for further actions such as data exfiltration or additional malware deployment. Researchers have observed this technique being used in early 2025 to deliver RATs, including LimeRAT, AgentTesla, and Remcos, often as part of an initial access strategy before full ransomware execution. Fully Undetectable (FUD) cryptors and the obfuscation of payloads allow the malware to bypass even updated antivirus engines. To defend against these threats, experts advise disabling macros, deploying security tools with behavioral analysis, inspecting embedded components within images, and avoiding unsolicited downloads. This campaign demonstrates how attackers continue to innovate, turning common file formats into highly effective delivery mechanisms for advanced malware.
Google Project Zero Uncovers Sandbox Escape in macOS via Mach IPC Vulnerability
Google Project Zero has revealed a critical sandbox escape vulnerability in macOS, leveraging flaws in Apple’s Mach Interprocess Communication (IPC) system. This foundational layer facilitates message exchange between applications and privileged system daemons. The researchers focused on the coreaudiod daemon, specifically the com[.]apple[.]audio[.]audiohald Mach service, which is responsible for audio subsystem management. Their analysis uncovered a confusion flaw in how this service handled Mach messages; internal functions incorrectly assumed that objects retrieved from HALS_ObjectMap were of a specific type without validating that assumption. By crafting malicious Mach messages from within a sandboxed process, attackers could exploit this inconsistency to achieve out-of-bounds memory access or hijack execution flow through manipulated virtual function tables (vtables). The team identified which Mach services were reachable from sandboxed environments by analyzing sandbox profiles and using tools like sbtool. They filtered these down to high-value daemons with privileged access. They built a custom fuzzing harness that avoids the limitations of mach_msg—instead directly invoking message handlers for greater precision and coverage insight. This methodology revealed the vulnerability and a broader systemic risk: Apple’s privileged daemons often interact with untrusted sandboxed inputs without sufficient validation. Moreover, this class of vulnerabilities is challenging to detect and easy to overlook without a deliberate, low-level auditing approach. Project Zero’s open-source release of their harness and testing methodology gives the infosec community powerful tools to continue probing macOS internals for similar issues. Recommendations include enforcing strict input validation in IPC message handlers, minimizing unnecessary exposure of high-privilege Mach services to sandboxed processes, auditing all message-handling code in system daemons, and adopting fuzzing techniques that simulate real-world sandbox-to-daemon interactions. Organizations should also closely monitor Apple’s patch releases and prioritize macOS updates on systems where privilege escalation risks are unacceptable. This vulnerability, tracked as CVE-2024-54529, was patched by Apple in December 2024 by introducing explicit type checks. While there is no evidence of active exploitation, the exploitability from sandboxed contexts underscores the flaw's seriousness, especially as sandbox escapes are highly sought after for privilege escalation and initial access in macOS-targeted campaigns.
