Researchers have revealed that a critical security flaw in Microsoft 365 Copilot allowed attackers to exfiltrate sensitive user information through a sophisticated exploit chain. The vulnerability, which has since been patched, combined multiple techniques to bypass security controls and steal personal data.
The exploit chain, discovered by security researcher Johann Rehberger, leveraged prompt injection, automatic tool invocation, and a novel technique called ASCII smuggling. It began with a malicious email or shared document containing a carefully crafted prompt injection payload.
This payload instructed Copilot to search for additional emails and documents without user interaction, bringing sensitive content into the chat context. Notably, the exploit could trigger automatic tool invocation, causing Copilot to retrieve data like Slack MFA codes or sales figures from other sources.
The most innovative aspect was the use of ASCII smuggling to hide exfiltrated data. This technique employs special Unicode characters that mirror ASCII but are invisible in the user interface. The attacker could embed this hidden data within seemingly innocuous clickable hyperlinks.
Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot
If a user clicked the link, the concealed sensitive information would be sent to an attacker-controlled server. Rehberger demonstrated how sales numbers and MFA codes could be stolen and decoded using this method.
The full exploit chain combined:
- Prompt injection via malicious content
- Automatic tool invocation to access additional data
- ASCII smuggling to hide exfiltrated information
- Rendering of hyperlinks to attacker-controlled domains.
Microsoft has since addressed the vulnerabilities following responsible disclosure in January 2024. While the exact fix details are unclear, the original proof-of-concept exploits no longer work, and link rendering appears to have been modified.
“It is unclear how exactly Microsoft fixed the vulnerability, and what mitigation recommendations were implemented. But the exploits I built and shared with them in January and February do not work anymore,” Johann Rehberger added.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial