Researchers have demonstrated a new self-propagating AI malware dubbed “Morris II.” This generative AI worm targets email assistants (like Copilot for Microsoft 365) by using “adversarial self-replicating prompts” hidden in emails. When the AI processes the email, it is tricked into forwarding the malware to other contacts.
Business Impact
This is the first true “generative AI worm.” It can spread rapidly through an organization’s internal email network, bypassing traditional spam filters because the emails are sent by legitimate, trusted internal accounts. It can be used to exfiltrate sensitive data or spread phishing links at scale.
Why It Happened
The worm exploits “prompt injection” vulnerabilities in how RAG (Retrieval-Augmented Generation) systems process incoming email content. The AI treats the malicious prompt as a valid instruction rather than untrusted data.
Recommended Executive Action
Review the security settings for your enterprise AI assistants. Limit the permissions of AI agents to “read-only” for external emails where possible, or require human approval before an AI agent sends an email on a user’s behalf.
Hashtags: #AI #Malware #Worm #Copilot #GenAI #PromptInjection #CyberSecurity #EmailSecurity #FutureThreats