Enterprise AI agents have become the new frontier for sophisticated cyberattacks, with a recently patched vulnerability in Microsoft’s Copilot Studio exposing critical security gaps that threaten entire organizational networks. The discovery of CVE-2026-21520—an indirect prompt injection vulnerability dubbed “ShareLeak” by researchers at Capsule Security—reveals that current enterprise security architectures are fundamentally unprepared for the autonomous capabilities of modern AI agents.
## Understanding the ShareLeak Vulnerability
The patched vulnerability in Microsoft Copilot Studio allowed attackers to inject malicious payloads directly into an agent’s system instructions through indirect prompt injection techniques. While Microsoft has addressed the immediate threat, the discovery raises alarming questions about structural weaknesses in agentic AI platforms.
According to Capsule Security, ShareLeak represents more than a isolated software bug—it exemplifies a systemic issue affecting the entire category of enterprise AI agents. The vulnerability enabled unauthorized access to sensitive data by exploiting the very features that make AI agents powerful: their ability to access internal systems, process external content, and execute complex workflows autonomously.
## The Lethal Trifecta: Three Pillars of Agent Insecurity
Capsule’s research identifies three critical components that create inherent vulnerabilities in any agent-based system:
* **Access to Private Data**: Enterprise agents require broad access to internal databases, documents, and proprietary systems to perform effectively
* **Exposure to Untrusted Content**: Agents routinely process emails, web content, and user inputs from unverified external sources
* **External Communication Capabilities**: The ability to send emails, update records, and interact with third-party APIs creates exfiltration pathways
When combined, these factors create what researchers call a “lethal trifecta”—a structural vulnerability that makes agentic platforms inherently susceptible to exploitation. ShareLeak perfectly demonstrated how attackers could weaponize this combination to extract sensitive information without triggering traditional security alerts.
## Multi-Turn Crescendo Attacks: Evading Detection
Perhaps more concerning than the vulnerability itself is the sophisticated attack methodology that accompanies it. Capsule Security revealed that attackers can deploy “multi-turn crescendo attacks” to distribute malicious payloads across multiple seemingly benign interactions.
Unlike traditional attacks that execute in a single action, these multi-turn strategies break malicious intent across several conversational turns. Each individual interaction passes security inspection, but the cumulative semantic trajectory results in data exfiltration or system compromise. This approach effectively bypasses stateless Web Application Firewalls (WAFs) and Data Loss Prevention (DLP) systems, which analyze interactions in isolation rather than as coordinated sequences.
## Parallel Threats: The Salesforce Agentforce PipeLeak
The security implications extend beyond Microsoft’s ecosystem. Capsule researchers discovered PipeLeak, a similar indirect prompt injection vulnerability affecting Salesforce Agentforce. Despite sharing technical similarities with ShareLeak—including the ability to manipulate agent behavior through crafted inputs—Salesforce had not assigned a CVE or issued a public advisory as of publication.
This discrepancy highlights a growing concern in the AI security landscape: inconsistent vulnerability disclosure practices among major platform providers. As enterprises increasingly deploy multi-vendor AI agent ecosystems, gaps in security communication create compound risks that security teams may not be equipped to address.
## Runtime Enforcement: A New Security Paradigm
In response to these evolving threats, Capsule Security proposes a fundamental shift from static security controls to runtime enforcement models. Their architecture deploys fine-tuned small language models—dubbed “guardian agents”—to evaluate every tool call before execution.
This approach moves security from the perimeter to the action layer, analyzing the semantic intent behind agent behaviors in real-time. By hooking directly into vendor-provided execution paths without requiring proxies or gateway appliances, organizations can maintain security without compromising agent performance.
## Securing Your AI Agent Infrastructure
As agentic AI systems become ubiquitous in enterprise environments, organizations must adopt comprehensive risk management strategies. Security teams should classify every agent deployment against the lethal trifecta exposure framework, implementing runtime enforcement for any agent handling sensitive production data.
The ShareLeak and PipeLeak vulnerabilities serve as critical wake-up calls: traditional cybersecurity measures are insufficient for the agentic era. Organizations must evolve their security postures to match the autonomous, context-aware capabilities of modern AI systems—or risk exposing their most sensitive data to increasingly sophisticated adversaries.
**Ready to secure your AI infrastructure? Evaluate your current agent deployments against the lethal trifecta framework today, and consider implementing runtime monitoring solutions before your next production deployment.**