Full Report
Redmond says it's fixed this particular indirect prompt injection vuln updated Microsoft fixed a security hole in Microsoft 365 Copilot that allowed attackers to trick the AI assistant into stealing sensitive tenant data – like emails – via indirect prompt injection attacks.…
Analysis Summary
# Sneaky Mermaid attack in Microsoft 365 Copilot steals data
## Key Points
- Microsoft fixed a security hole in Microsoft 365 Copilot that allowed attackers to steal sensitive tenant data via indirect prompt injection attacks.
- The vulnerability was discovered by researcher Adam Logue, who reported it to Redmond but didn't receive a bug bounty payout since M365 Copilot is not in-scope for the vulnerability reward program.
## Threat Actors
- No specific threat actor attribution is mentioned, but the attack is attributed to researcher Adam Logue, who acted as an adversary in the proof-of-concept exploit.
## TTPs
- Indirect prompt injection attacks using Mermaid diagrams to generate diagrams on the fly and include data retrieved from other tools.
- Embedding malicious instructions into a prompt that the model can act upon.
- Using CSS style elements with a hyperlink to an attacker-controlled server to exfiltrate stolen data.
## Affected Systems
- Microsoft 365 Copilot (specifically, its Mermaid diagrams integration)
- Tenant data stored in Microsoft 365
## Mitigations
- Microsoft patched the vulnerability and notified users that they do not need to take any action to be protected from this technique.
- Future bug bounty hunters may earn a reward for their work on M365 Copilot vulnerabilities.
## Conclusion
Microsoft fixed a security hole in Microsoft 365 Copilot that allowed attackers to steal sensitive tenant data via indirect prompt injection attacks. The vulnerability was discovered by researcher Adam Logue, but he didn't receive a bug bounty payout since M365 Copilot is not in-scope for the vulnerability reward program.