Claude in Chrome: A Threat Analysis A threat model for Claude in Chrome, agentic browsers risks. Claude in Chorme JS tool resulting risks, and what you should be aware of when adopting Claude in your org.

forget about cors sop xss protection session isolation or browser security boundaries in general
labs.zenity.io/p/claude-in-...

"Claude’s ability to autonomously use dev tools s.a. reading network requests and executing JS poses great risk. Since the browser first appeared a great amount of effort was invested into preventing one of the worst web vulnerabilities out there. XSS. Roll in, Claude in Chrome... XSS-as-a-service."

How Should AI Ask for Our Input? How should we reason about machines taking over

we're stuck replicating the first AI-human interface that caught on
The Chat

we can do better
www.mbgsec.com/posts/2025-0...

Attackers celebrate, defenders face palm.

join us tmrw! its going to be .. well .. we've got something for everybody!

blackhat[.]com/us-25/briefings/schedule/index.html#ai-enterprise-compromise---0click-exploit-methods-46442

Agent Flayer comes for Microsoft Copilot, Copilot Studio Gemini, Agentforce, Cursor and ChatGPT

’tis the season to be pwning
#BHUSA

You missed one thing in your (excellent) analysis: the attacker was clever enough to pull this off (and it is amazingly done), but still wasn't able to solve for Amazon Q CLI's dogshit ergonomics.

this could have been much worse
bsky.app/profile/mbrg...

The malicious prompt in question displaying inside of a customer's Very Enterprisey(tm) endpoint security tooling during the attack window.

AWS security bulletin: aws.amazon.com/security/sec...

"This issue did not affect any production services or end-users."

Weird how customer logs show the wiper prompt executing.

Anyone else see "clean a system to a near-factory state" in your logs?

Initial access remains unclear

down the rabbit hole
www.mbgsec.com/posts/2025-0...

The malicious prompt

After several hours of GitHub dorking on the Amazon Q infection we have:
- hacker's user and intent
- downloader
- prompt payload
- evasion techniques
- timeline from july 13 thru was mitigation and cover

big open questions: how did lkmanka58 gain initial access? is this the only user involved?

benchmarks go up
attackers pwning like its the 90s
www.mbgsec.com/posts/2025-0...

A Copilot Studio Story 2: When AIjacking Leads to Full Data Exfiltration Discover how prompt injections can lead to zero-click exploits threatening AI agents built using Copilot Studio. Learn about real-world risks, including data leakage and security blind spots. Bypass C...

0click chain on a copilot studio agent via email
bypass msft's defense, jailbreak 4o, recon for accessible data, dump the entire salesforce crm
one prompt
labs.zenity.io/p/a-copilot-...

Context Engineering for AI Agents: Lessons from Building Manus This post shares the local optima Manus arrived at through our own "SGD". If you're building your own AI agent, we hope these principles help you converge faster.

this manus post has changed my todo for the weekend
the way in which they constrain model logits by manipulating prefixes is brilliant
manus.im/blog/Context...

Black Hat Black Hat

here we go www.blackhat.com/us-25/briefi...

its been 9 months since #BHUSA and living off microsoft copilot

ppl have been asking if things are better now

well.. they are much better. but for whom? 😈😈😈

catch the sequel at hacker summer camp featuring very disturbing shenanigans
@blackhatevents.bsky.social

an ai system is the top hacker at h1 us leaderboard

www.mbgsec.com/posts/2025-0...

more ->
www.mbgsec.com/posts/2025-0...

openai security conf badge

incredible vibes at openai's security conf last week

I came out both humbled and excited
and with a greater conviction --

you can just do things!

AI vendors have been creating vuln disclosure programs asking that every bad prompt be responsibly disclosed

blocking a specific prompt does little to protect users
it creates an illusion of security that leaves users exposed
www.mbgsec.com/posts/2025-0...

good morning folks! thanks again to everyone who attended my talks this week

ai assistants create a new initial access vector
prompt injection is not a bug to fix, its a problem to manage

slides, hacking demos, security program ->
labs.zenity.io/p/zenity-res...

we conflate *the problem* with the term prompt injection

the problem is that AI inherently does not follow instructions, and we act like it does

it follows our goals, an attacker’s, or its own just the same
attackers exploit this
hijacking your AI for their goals

www.mbgsec.com/posts/2025-0...

Copilot Learning Hub Cautionary Tales: Everything You Need to Know About Security for Copilot

tmrw (Dec 5) at 10am PT Microsoft is releasing a convo by @donasarkar.bsky.social @sarahyo.com and I where we go into using m365 copilot & copilot studio securely

this was a great attacker-defender interaction

join us! we'll be there for live questions in comments

Michael on stage at INTENT 2024

first time at INTENT
met lots of talented folks and the vibes were great
ty this was awesome!

ok we’re having a sequel to living off microsoft copilot

Modules: Power Pages An offensive security toolset for Microsoft 365 focused on Microsoft Copilot, Copilot Studio and Power Platform - mbrg/power-pwn

Aaron Costello found 1.1 million NHS employee PII records exposed due to a Power Pages misconfig

new powerpwn module is out!
by avishai efrat and ofri nachfolger

scan your environment for public facing Pages and Dataverse tables

github.com/mbrg/power-p...

is there any popular formal definition of the ‘halting problem’ for AI? i.e. can we build a kill switch?

55k devs
90k copilots
500k apps
1.1m automations
10m creds

!

BlueHat 2024: S14: Scaling AppSec with an SDL for Citizen Development YouTube video by Microsoft Security Response Center (MSRC)

Microsoft has >1.5 million low-code/no-code apps including 90K bots and AI copilots

this is how together we built a security program that managed to remediate 95% of vulns within 4m

I’m really excited to finally be able to share this -

www.youtube.com/watch?v=0jGU...