A vulnerability in Microsoft 365 Copilot that allowed attackers to steal users’ sensitive information has been disclosed by a cybersecurity researcher.
Johann Rehberger, who discovered the flaw, described the exploit chain in a blog post published on August 26. The attack combines several advanced techniques, including prompt injection, automatic tool invocation and a novel method called ASCII smuggling, which stages data for exfiltration.
The attack begins with a prompt injection delivered through a malicious email or shared document. Once triggered, this injection prompts Microsoft 365 Copilot to search for additional emails and documents without user consent.
The attacker can then leverage ASCII smuggling, which uses invisible Unicode characters to embed sensitive information within seemingly benign hyperlinks. When a user clicks on these links, the embedded data is transmitted to a third-party server controlled by the attacker.
Vulnerability Report and Microsoft Patch
Rehberger initially reported the vulnerability to Microsoft in January 2024. Despite its sophisticated nature, the issue was initially classified as low severity. However, Rehberger demonstrated how this exploit chain could exfiltrate sensitive data, such as multi-factor authentication (MFA) codes, prompting Microsoft to reconsider and eventually patch the vulnerability by July 2024.
Read more on Microsoft patches: Microsoft Fixes Four Zero-Days in July Patch Tuesday
According to the researcher, the vulnerability highlights the potential dangers posed by AI tools like Microsoft 365 Copilot, which rely on large language models (LLMs) for processing user content.
In particular, the incident underscores the importance of implementing robust security measures to protect against prompt injection and related attacks, particularly as AI tools become increasingly integrated into enterprise environments.
Microsoft has not disclosed the specifics of the patch, but Rehberger confirmed that the vulnerability no longer poses a threat.
“It is unclear how exactly Microsoft fixed the vulnerability and what mitigation recommendations were implemented,” the researcher wrote. “But the exploits I built and shared with them in January and February do not work anymore, and it appeared that links are not rendered anymore since a few months ago.”
To defend against similar attacks, Rehberger suggested enterprises assess their risk tolerance and exposure to prevent data leaks from Copilot and implement data loss prevention (DLP) and other security controls to manage the creation and publication of these tools.
Image credit: Mamun sheikh K / Shutterstock.com