TLDR:
- Microsoft 365 Copilot had a critical security flaw allowing hackers to steal personal data
- The vulnerability combined prompt injection, automatic tool invocation, and ASCII smuggling
Researchers discovered a security flaw in Microsoft 365 Copilot that allowed attackers to exfiltrate sensitive user information through a sophisticated exploit chain. The vulnerability, which has been patched, combined prompt injection, automatic tool invocation, and ASCII smuggling. The exploit chain began with a malicious email or shared document containing a carefully crafted prompt injection payload, triggering Copilot to search for additional emails and documents without user interaction, bringing sensitive content into the chat context. The exploit could also trigger automatic tool invocation to retrieve data like Slack MFA codes or sales figures, and used ASCII smuggling to hide exfiltrated information within seemingly innocuous clickable hyperlinks. Microsoft has addressed the vulnerabilities following responsible disclosure in January 2024, with the original proof-of-concept exploits no longer working. The exact fix details are unclear, but the exploit chain has been neutralized.