SECURITY
Critical Copilot Flaw Let Hackers Steal 2FA Codes from Users
Here's a sentence nobody wants to read on a Monday morning: the AI assistant you trusted to make you more productive was quietly handing hackers the keys to your accounts. A critical vulnerability discovered in Microsoft Copilot allowed attackers to steal two-factor authentication codes directly from users — the very codes designed to be your last line of defense.
Let that sink in for a second. Two-factor authentication exists precisely because passwords alone aren't enough. It's the security world's version of a deadbolt after the front door lock. This flaw didn't pick the lock — it handed someone a copy of both keys.
The vulnerability reportedly allowed bad actors to manipulate Copilot into surfacing sensitive information through what security researchers describe as prompt injection or indirect manipulation techniques. By embedding malicious instructions into content that Copilot would process — think documents, emails, or web pages — attackers could essentially hijack the assistant's behavior without the user ever knowing something was wrong. The AI becomes an unwitting accomplice.
This matters beyond the immediate technical details. Microsoft has been aggressively integrating Copilot across its entire product ecosystem — Outlook, Teams, Word, Edge, and more. That kind of deep integration is exactly what makes the product valuable, but it also expands the attack surface in ways that are genuinely hard to fully audit. Every new connection point is a potential entry for someone with bad intentions.
It's also worth noting that 2FA codes are time-sensitive, usually expiring within 30 to 60 seconds. For a hacker to weaponize a stolen code, they'd need to act fast — which tells you something about the sophistication required to actually exploit this in the wild. This wasn't a flaw any casual script kiddie could stumble into.
Microsoft has since patched the vulnerability, and there's no public evidence of widespread exploitation in the wild. That's the good news. The less comfortable news is that this class of attack — using AI assistants as a vector for data exfiltration — is not going away. If anything, it's going to get more common as these tools become more capable and more deeply embedded in how we work.
Security researchers have been sounding alarms about prompt injection vulnerabilities for a while now, but enterprise adoption of AI tools has largely outpaced the security community's ability to stress-test them at scale. This Copilot flaw is a loud reminder that when you give software more access and more intelligence, you also give potential attackers more to work with.
If you're an IT administrator, this is your nudge to revisit what data your organization's Copilot deployment can actually touch — and whether those permissions are as tight as they should be.
Source: Ars Technica
AI
Nadella Warns AI Could Hollow Out Industries Like Globalization Did
It's one thing when critics warn that AI will devastate the labor market. It's another thing entirely when the CEO of one of the companies building that AI says the same thing out loud. Satya Nadella, Microsoft's chief executive, has publicly cautioned that artificial intelligence could hollow out entire industries — and he reached for a historically painful comparison to make his point: globalization.
That's not a casual analogy. Globalization reshaped the economic geography of entire countries. It created enormous wealth at the top and for consumers broadly, while gutting manufacturing towns, eliminating middle-skill jobs, and leaving whole communities without a clear path forward. The people who bore the costs were rarely the ones who captured the benefits. Nadella appears to be suggesting AI could follow a similar pattern — and he's saying so while actively selling the technology driving that disruption.
There's something genuinely notable about that candor. Tech executives have a long tradition of downplaying the downsides of their products, at least publicly. Nadella's willingness to invoke globalization — a word with real political and human weight — signals either a new level of honesty from the industry or a calculated attempt to get ahead of a narrative that's increasingly hard to ignore. Maybe both.
The concern isn't really about robots taking over factory floors, the way AI anxiety used to be framed. The current wave of AI is white-collar by nature. It writes, codes, analyzes, summarizes, and advises. The industries most exposed aren't the ones that survived the last round of automation — they're the ones that thrived because of it. Legal research, financial analysis, software development, customer support, content creation: these are squarely in the crosshairs.
What made globalization so economically complicated was the mismatch between who gained and who lost, and the speed at which that happened relative to society's ability to adapt. Retraining programs chronically underdelivered. Safety nets weren't built for the scale of disruption. If AI moves faster than globalization did — and there's a reasonable argument it already is — those structural gaps become even more dangerous.
Nadella's comments also raise an uncomfortable question for Microsoft specifically: what responsibility does a company have when it's simultaneously warning about a risk and profiting from it? Microsoft has bet heavily on Copilot across its enterprise products, and that bet is paying off. The company isn't slowing down AI deployment while policymakers catch up.
To be fair, identifying a problem isn't the same as causing it, and Nadella has reportedly called for policy responses to help workers navigate the transition. But the globalization comparison cuts both ways — governments spent decades debating responses to that disruption while the damage accumulated in real time.
The question now is whether anyone actually learns from that history, or whether we're just adding a more eloquent narrator to the same story.
Source: VentureBeat