Ars Technica - arstechnica.com
Dan Goodin Senior Security Editor
19 nov. 2025 21:25
Integration of Copilot Actions into Windows is off by default, but for how long?
Microsoft’s warning on Tuesday that an experimental AI agent integrated into Windows can infect devices and pilfer sensitive user data has set off a familiar response from security-minded critics: Why is Big Tech so intent on pushing new features before their dangerous behaviors can be fully understood and contained?
As reported Tuesday, Microsoft introduced Copilot Actions, a new set of “experimental agentic features” that, when enabled, perform “everyday tasks like organizing files, scheduling meetings, or sending emails,” and provide “an active digital collaborator that can carry out complex tasks for you to enhance efficiency and productivity.”
Hallucinations and prompt injections apply
The fanfare, however, came with a significant caveat. Microsoft recommended users enable Copilot Actions only “if you understand the security implications outlined.”
The admonition is based on known defects inherent in most large language models, including Copilot, as researchers have repeatedly demonstrated.
One common defect of LLMs causes them to provide factually erroneous and illogical answers, sometimes even to the most basic questions. This propensity for hallucinations, as the behavior has come to be called, means users can’t trust the output of Copilot, Gemini, Claude, or any other AI assistant and instead must independently confirm it.
Another common LLM landmine is the prompt injection, a class of bug that allows hackers to plant malicious instructions in websites, resumes, and emails. LLMs are programmed to follow directions so eagerly that they are unable to discern those in valid user prompts from those contained in untrusted, third-party content created by attackers. As a result, the LLMs give the attackers the same deference as users.
Both flaws can be exploited in attacks that exfiltrate sensitive data, run malicious code, and steal cryptocurrency. So far, these vulnerabilities have proved impossible for developers to prevent and, in many cases, can only be fixed using bug-specific workarounds developed once a vulnerability has been discovered.
That, in turn, led to this whopper of a disclosure in Microsoft’s post from Tuesday:
“As these capabilities are introduced, AI models still face functional limitations in terms of how they behave and occasionally may hallucinate and produce unexpected outputs,” Microsoft said. “Additionally, agentic AI applications introduce novel security risks, such as cross-prompt injection (XPIA), where malicious content embedded in UI elements or documents can override agent instructions, leading to unintended actions like data exfiltration or malware installation.”
Microsoft indicated that only experienced users should enable Copilot Actions, which is currently available only in beta versions of Windows. The company, however, didn’t describe what type of training or experience such users should have or what actions they should take to prevent their devices from being compromised. I asked Microsoft to provide these details, and the company declined.
Like “macros on Marvel superhero crack”
Some security experts questioned the value of the warnings in Tuesday’s post, comparing them to warnings Microsoft has provided for decades about the danger of using macros in Office apps. Despite the long-standing advice, macros have remained among the lowest-hanging fruit for hackers out to surreptitiously install malware on Windows machines. One reason for this is that Microsoft has made macros so central to productivity that many users can’t do without them.
“Microsoft saying ‘don’t enable macros, they’re dangerous’… has never worked well,” independent researcher Kevin Beaumont said. “This is macros on Marvel superhero crack.”
Beaumont, who is regularly hired to respond to major Windows network compromises inside enterprises, also questioned whether Microsoft will provide a means for admins to adequately restrict Copilot Actions on end-user machines or to identify machines in a network that have the feature turned on.
A Microsoft spokesperson said IT admins will be able to enable or disable an agent workspace at both account and device levels, using Intune or other MDM (Mobile Device Management) apps.
Critics voiced other concerns, including the difficulty for even experienced users to detect exploitation attacks targeting the AI agents they’re using.
“I don’t see how users are going to prevent anything of the sort they are referring to, beyond not surfing the web I guess,” researcher Guillaume Rossolini said.
Microsoft has stressed that Copilot Actions is an experimental feature that’s turned off by default. That design was likely chosen to limit its access to users with the experience required to understand its risks. Critics, however, noted that previous experimental features—Copilot, for instance—regularly become default capabilities for all users over time. Once that’s done, users who don’t trust the feature are often required to invest time developing unsupported ways to remove the features.
Sound but lofty goals
Most of Tuesday’s post focused on Microsoft’s overall strategy for securing agentic features in Windows. Goals for such features include:
Non-repudiation, meaning all actions and behaviors must be “observable and distinguishable from those taken by a user”
Agents must preserve confidentiality when they collect, aggregate, or otherwise utilize user data
Agents must receive user approval when accessing user data or taking actions
The goals are sound, but ultimately they depend on users reading the dialog windows that warn of the risks and require careful approval before proceeding. That, in turn, diminishes the value of the protection for many users.
“The usual caveat applies to such mechanisms that rely on users clicking through a permission prompt,” Earlence Fernandes, a University of California, San Diego professor specializing in AI security, told Ars. “Sometimes those users don’t fully understand what is going on, or they might just get habituated and click ‘yes’ all the time. At which point, the security boundary is not really a boundary.”
As demonstrated by the rash of “ClickFix” attacks, many users can be tricked into following extremely dangerous instructions. While more experienced users (including a fair number of Ars commenters) blame the victims falling for such scams, these incidents are inevitable for a host of reasons. In some cases, even careful users are fatigued or under emotional distress and slip up as a result. Other users simply lack the knowledge to make informed decisions.
Microsoft’s warning, one critic said, amounts to little more than a CYA (short for cover your ass), a legal maneuver that attempts to shield a party from liability.
“Microsoft (like the rest of the industry) has no idea how to stop prompt injection or hallucinations, which makes it fundamentally unfit for almost anything serious,” critic Reed Mideke said. “The solution? Shift liability to the user. Just like every LLM chatbot has a ‘oh by the way, if you use this for anything important be sure to verify the answers” disclaimer, never mind that you wouldn’t need the chatbot in the first place if you knew the answer.”
As Mideke indicated, most of the criticisms extend to AI offerings other companies—including Apple, Google, and Meta—are integrating into their products. Frequently, these integrations begin as optional features and eventually become default capabilities whether users want them or not.
bleepingcomputer.com
By Bill Toulas
November 20, 2025
Data from Italy's national railway operator, the FS Italiane Group, has been exposed after a threat actor breached the organization's IT services provider, Almaviva.
The hacker claims to have stolen 2.3 terabytes of data and leaked it on a dark web forum. According to the threat actor's description, the leak includes confidential documents and sensitive company information.
Almaviva is a large Italian company that operates globally, providing services such as software design and development, system integration, IT consulting, and customer relationship management (CRM) products.
Andrea Draghetti, Head of Cyber Threat Intelligence at D3Lab, says the leaked data is recent, and includes documents from the third quarter of 2025. The expert ruled out the possibility that the files were recycled from a Hive ransomware attack in 2022.
"The threat actor claims the material includes internal shares, multi-company repositories, technical documentation, contracts with public entities, HR archives, accounting data, and even complete datasets from several FS Group companies," Draghetti says.
"The structure of the dump, organized into compressed archives by department/company, is fully consistent with the modus operandi of ransomware groups and data brokers active in 2024–2025," the cybersecurity expert added.
Almaviva is a major IT services provider with over 41,000 employees across almost 80 branches in Italy and abroad, and an annual turnover of $1.4 billion last year.
FS Italiane Group (FS) is a 100% state-owned railway operator and one of the largest industrial companies in the country, with more than $18 billion in annual revenue. It manages railway infrastructure, passenger and freight rail transport, and also bus services and logistics chains.
While BleepingComputer’s press requests to both Almaviva and FS went unanswered, the IT firm eventually confirmed the breach via a statement to local media.
“In recent weeks, the services dedicated to security monitoring identified and subsequently isolated a cyberattack that affected our corporate systems, resulting in the theft of some data,” Almaviva said.
“Almaviva immediately activated security and counter-response procedures through its specialized team for this type of incident, ensuring the protection and full operability of critical services.”
The company also stated that it has informed authorities in the country, including the police, the national cybersecurity agency, and the country’s data protection authority. An investigation into the incident is ongoing with help and guidance from government agencies.
Almaviva promised to transparently provide updates as more information emerges from the investigation.
Currently, it is unclear if passenger information is present in the data leak or if the data breach is impacting other clients beyond FS.
BleepingComputer has contacted Almaviva with additional questions, but we have not received a response by publication time.
bleepingcomputer.com
By Sergiu Gatlan
November 21, 2025
American cybersecurity firm CrowdStrike has confirmed that an insider shared screenshots taken on internal systems with hackers after they were leaked on Telegram by the Scattered Lapsus$ Hunters threat actors.
However, the company noted that its systems were not breached as a result of this incident and that customers' data was not compromised.
"We identified and terminated a suspicious insider last month following an internal investigation that determined he shared pictures of his computer screen externally," a CrowdStrike spokesperson told BleepingComputer today.
"Our systems were never compromised and customers remained protected throughout. We have turned the case over to relevant law enforcement agencies."
CrowdStrike did not specify the threat group responsible for the incident or the motivations of the malicious insider who shared screenshots.
However, this statement was provided in response to questions from BleepingComputer regarding screenshots of CrowdStrike systems that were recently posted on Telegram by members of the threat groups ShinyHunters, Scattered Spider, and Lapsus$.
ShinyHunters told BleepingComputer earlier today that they allegedly agreed to pay the insider $25,000 to provide them with access to CrowdStrike's network.
The threat actors claimed they ultimately received SSO authentication cookies from the insider, but by then, the suspected insider had already been detected by CrowdStrike, which had shut down his network access.
The extortion group added that they also attempted to purchase CrowdStrike reports on ShinyHunters and Scattered Spider, but did not receive them.
BleepingComputer contacted CrowdStrike again to confirm if this information is accurate and will update the story if we receive additional information.
The Scattered Lapsus$ Hunters cybercrime collective
These groups, now collectively calling themselves "Scattered Lapsus$ Hunters," have previously launched a data-leak site to extort dozens of companies impacted by a massive wave of Salesforce breaches.
Scattered Lapsus$ Hunters have been targeting Salesforce customers in voice phishing attacks since the start of the year, breaching companies such as Google, Cisco, Allianz Life, Farmers Insurance, Qantas, Adidas, Workday, as well as LVMH subsidiaries, including Dior, Louis Vuitton, and Tiffany & Co.
Companies they attempted to extort include high-profile brands and organizations, such as Google, Cisco, Toyota, Instacart, Cartier, Adidas, Sake Fifth Avenue, Air France & KLM, FedEx, Disney/Hulu, Home Depot, Marriott, Gap, McDonald's, Walgreens, Transunion, HBO MAX, UPS, Chanel, and IKEA.
Scattered Lapsus$ Hunters also claimed responsibility for the Jaguar Land Rover (JLR) breach, stealing sensitive data and significantly disrupting operations, resulting in damages of over £196 million ($220 million) in the last quarter.
As BleepingComputer reported this week, the ShinyHunters and Scattered Spider extortion groups are switching to a new ransomware-as-a-service platform named ShinySp1d3r, after previously using other ransomware gangs' encryptors in attacks, including ALPHV/BlackCat, RansomHub, Qilin, and DragonForce.
This Thursday, ShinyHunters also claimed a new wave of data theft attacks that allegedly impacted Salesforce instances belonging to over 280 companies. In Telegram messages today, they said the list of breached companies contains multiple high-profile names, including LinkedIn, GitLab, Atlassian, Thomson Reuters, Verizon, F5, SonicWall, DocuSign, and Malwarebytes.
As the threat actors told BleepingComputer yesterday, they compromised the Salesforce instances after breaching Gainsight using secrets stolen in the Salesloft drift breach.
