External risk intelligence

M365 Copilot vulnerability can redirect users to malicious sites allowing attackers to take control.

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-33102

An M365 Copilot flaw can send users to fake websites, potentially letting attackers gain unauthorized control. This is critical because it exposes user accounts and sensitive data across your network.

4Halo Surface Signal

Microsoft 365 Copilot

External exposure likelihood

Halo Surface Signal score for CVE-2026-33102

M365 Copilot is a SaaS application accessed by users over the internet. The vulnerability involves the application's URL handling, part of its standard web interface. Being a cloud-native service deployed for widespread enterprise use, the vulnerable component is regularly accessible via typical web browsers.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Horizon Alert

Summary of the vulnerability and why it matters

An open redirect vulnerability in M365 Copilot could let an attacker redirect users to an untrusted site, potentially leading to unauthorized privilege escalation. This issue deserves attention because it could impact user accounts and data security across the network.

  • Attacker redirects users to malicious sites.
  • Potential for privilege escalation.
  • Affects M365 Copilot users.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this open redirect vulnerability in M365 Copilot to trick users into clicking malicious links, potentially leading to credential theft or further compromise. This could be used in phishing campaigns targeting M365 users, directing them to fake login pages or malicious sites.

  • No authentication required.
  • Triggered by user interaction with a crafted URL.
  • Exploitable over the network.

Live Threat

Current exploitation, exposure, and threat context

This CVE describes an open redirect vulnerability in M365 Copilot, which could allow an attacker to trick users into visiting a malicious site. While privilege escalation is mentioned, the primary threat from this specific vulnerability appears to be phishing and credential theft by redirecting users through a compromised link. The current threat landscape shows a significant interest in vulnerabilities impacting widely used productivity suites for broad impact.

  • No known exploit publicly available.
  • Not listed on KEV.
  • Published in April 2026.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize assessing M365 Copilot for any signs of exploitation or suspicious redirection activity. If active exploitation is detected or the risk is high, isolate affected services or take them offline immediately.

  • Block or filter suspicious URLs.
  • Monitor for anomalous user activity.
  • Enable enhanced logging for M365 Copilot.

Frequently asked questions

What is Microsoft 365 Copilot and its primary function?

Microsoft 365 Copilot is an AI-powered tool designed to integrate with Microsoft 365 applications. It assists users by enhancing productivity through features that help with writing, summarizing information, analyzing data, and performing other tasks within the Microsoft ecosystem.

What is CVE-2026-33102 and what type of weakness is it?

CVE-2026-33102 is an 'open redirect' vulnerability found in Microsoft 365 Copilot. This weakness, categorized as CWE-601, enables an attacker to redirect users to a website other than the one they intended to visit, potentially a malicious one.

How could an attacker exploit this vulnerability?

An attacker could exploit this open redirect vulnerability by crafting a malicious URL that, when clicked by a user, redirects them to an untrusted website. This could be used in phishing campaigns to steal credentials or lead users to sites distributing malware.

What is the relevance of CVE-2026-33102 according to Halo Surface Signal?

Halo classifies this CVE as 'Likely' due to Microsoft 365 Copilot being a SaaS application accessed over the internet. The vulnerability is in the application's URL handling, a part of its web interface, making the vulnerable component accessible through standard web browsers for widespread enterprise use.

What steps should be taken to address this vulnerability?

Organizations should prioritize assessing their Microsoft 365 Copilot environment for any signs of exploitation or suspicious redirection activity. If exploitation is detected or the risk is assessed as high, isolating affected services or taking them offline may be necessary. Additionally, monitoring for anomalous user activity and enabling enhanced logging for M365 Copilot can help detect and respond to incidents.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified