A recent report by security researchers highlighted a serious indirect prompt injection vulnerability in Microsoft 365 Copilot that enabled attackers to steal sensitive corporate data. The core of the attack involved crafting a specialized Office document—like an Excel sheet—containing hidden instructions. When a user asked Copilot to summarize this document, the AI processed the embedded commands. Unlike a normal prompt injection where the attacker directly enters malicious text into the AI’s input field, indirect injection exploits the fact that the AI trusts and processes content from external, seemingly benign data sources.
The hidden instructions were cleverly embedded, in one example using white text on a white background within an Excel file across multiple hidden pages. The first set of instructions guided Copilot to ignore the primary document content and focus on a fake login prompt, while a second set provided the steps for the data theft. These commands overrode Copilot’s intended function, instructing it to perform actions far beyond a simple summary.
The malicious steps involved using Copilot’s own internal search tools to fetch the victim’s recent corporate emails. The AI then encoded this sensitive data into a single, long hex-encoded string. This string was then embedded into a Mermaid diagram, a tool Copilot uses to generate visual flowcharts and charts from text definitions. The diagram was disguised as a fake “Login” button or node.
The danger of the Mermaid diagram lay in its support for CSS styling, which attackers leveraged to define a hyperlink. The attacker’s instructions mandated that the encoded email data be inserted directly into the URL of this hyperlink, which pointed to an attacker’s controlled server. When an unsuspecting user clicked the fake “Login” button, the browser would unknowingly transmit the full, hex-encoded string of stolen emails to the attacker’s logs, where it could be decoded later. To make the ruse more convincing, the click was set up to briefly show an HTTP response that was replaced with a mock Microsoft 365 login screen, suggesting the user needed to log in to see the summary.
Following responsible disclosure, Microsoft patched the vulnerability by updating Copilot to disable interactive elements, specifically hyperlinks, within any AI-generated Mermaid diagrams. This critical change effectively closes the data exfiltration channel used in the attack. Users are strongly advised to ensure their Copilot integrations are updated and should avoid summarizing untrusted or suspicious documents until the patch has been fully applied to their systems.
Reference:
