Blog Post

Microsoft Defender for Office 365 Blog
3 MIN READ

Defending the Inbox Against Prompt Injection Attacks

nithinnara's avatar
nithinnara
Icon for Microsoft rankMicrosoft
Jul 08, 2026

AI assistants are quickly becoming part of everyday work—summarizing emails, drafting responses, triaging requests, and even potentially acting across connected business systems. As email becomes an automated input to AI systems, it can also become a new attack surface. Attackers no longer need to convince a human to click; they can target the AI. This shift changes how email threats operate and why traditional protections aren’t enough on their own. Publicly disclosed research—Morris II, EchoLeak, and a steady stream of indirect prompt injection findings—shows this isn’t theoretical. Email can be the highest-volume, lowest-friction ingress channel into your AI estate, and it needs its own purpose-built control.

Today, we’re announcing a new capability in Microsoft Defender that addresses this. Microsoft Defender can now detect and isolate malicious AI instructions embedded in email, commonly referred to as prompt injection, before delivery. This reduces the risk of prompt injection reaching the inbox and activating against AI systems. By detecting these threats, organizations are better protected from prompt injection-driven compromise and unintended data exposure.

Rather than responding to attacks after an AI system has already processed them, Defender can remove the threat at the earliest control point: the inbox itself.

When attackers stop phishing humans and start targeting AI

For decades, email attacks relied on social engineering—convincing a user to click a link, open an attachment, or follow instructions. AI assistants connected to email change that model.

For illustrative purposes, an attack chain could look like this:

  1. An attacker can send an email containing hidden instructions often invisible to a human because they’re encoded, white-on-white, zero-width Unicode, or embedded in HTML the renderer hides.
  2. The recipient, or an autonomous agent, asks Copilot to summarize or process the unread mail or inbox.
  3. The AI could unknowingly follow the embedded instructions, which can trigger actions like exposing sensitive data, calling tools, or poisoning downstream context.

This emerging class of attack, commonly referred to as indirect prompt injection, represents a clear evolution of email‑borne risk and calls for protections specifically designed for AI‑targeted threats.

 

How Microsoft Defender protects against prompt injection attempts

Protection against prompt injection is built into Defender’s existing email security pipeline, allowing organizations to reduce AI-targeted threats without requiring new tools, workflows, or operational complexity.

  1. Helps stop attacks before delivery – Malicious AI instructions embedded in emails can be detected and quarantined before they reach the inbox.
  2. Reduces downstream AI exploitation – By blocking these messages at ingress, prompt injection attempts are less likely to become available to Copilot, Microsoft 365 agents, or any AI tool grounded in Exchange Online data.
  3. Starts working automatically – For eligible customers, protection is enabled by default, allowing security teams to benefit without policy changes or admin opt-in.

How to view detections

Detections are classified under the existing High Confidence Phish verdict with a new Detection Technology value: Prompt Injection Protection.

Analysts will be able to interact with this experience across familiar Defender surfaces:

  • Email Quarantine – Messages containing detected prompt injection are isolated before delivery, with the relevant detection technologies visible as part of the message details.

 

  • Explorer and email entity pages – Analysts can review the full message context, investigate why it was flagged, and understand how the threat fits within the broader email investigation flow.

Securing the AI data perimeter

Email can be the first, and highest-volume, entry point into AI systems, making it a critical control plane for preventing AI-driven compromise. But email is only the beginning. As AI systems increasingly interact with documents, collaboration platforms, and third‑party data sources, protecting the AI data perimeter becomes critical. Detecting and blocking prompt injection at the inbox represents an important step toward that future—where Defender can stop AI‑targeted threats wherever untrusted data meets autonomous systems. As the threat landscape continues to evolve, Defender is designed to evolve with the threat landscape, so organizations can deploy AI more securely while helping reduce new attack risks. 

Get started

Prompt injection protection is now in Public Preview. For eligible customers, protection is enabled automatically without requiring policy changes or additional configuration. To learn more about this feature, visit our documentation.

Updated Jul 08, 2026
Version 1.0