A max critical vulnerability in Microsoft's M365 Copilot AI platform allowed hackers to extract two-factor authentication codes from users, which was patched last Tuesday. Researchers who discovered the flaw revealed that their proof-of-concept exploit could retrieve sensitive data, including 2FA codes, from emails accessible to Copilot1. The vulnerability stems from the AI's inability to differentiate between legitimate user instructions and malicious requests embedded in third-party content. This limitation is a common issue among large language model providers, including Microsoft, making it challenging to prevent their products from divulging sensitive information. The exploit highlights the security risks associated with AI-powered platforms, particularly those with access to sensitive user data. This vulnerability matters to security practitioners because it underscores the need for robust security measures to mitigate the risks posed by AI-powered systems, which can amplify existing threats if not properly secured.