Microsoft Copilot Prompt Injection Vulnerability Let Hackers Exfiltrate Sensitive Data


A security researcher revealed a critical vulnerability in Microsoft Copilot, a tool integrated into Microsoft 365, which allowed hackers to exfiltrate sensitive data.

The exploit, disclosed to Microsoft Security Response Center (MSRC) earlier this year, combines several sophisticated techniques that pose a significant data integrity and privacy risk. Let’s delve into the details of this vulnerability and its implications.

Exploit Chain: A Multi-Step Attack

According to the Embrace The Red report, the exploit chain leverages a combination of prompt injection, automatic tool invocation, and ASCII smuggling to achieve data exfiltration. It begins with a malicious email or document containing hidden instructions.

When processed by Copilot, these instructions trigger the tool to search for additional emails and documents, effectively expanding the scope of the attack without user intervention.

Demo that shows Copilot analyzing a Word document from OneDrive (source:Embrace The Red)

One of the critical elements of this exploit is the use of ASCII smuggling, a technique that employs special Unicode characters to render data invisible in the user interface.

This allows attackers to embed sensitive information within hyperlinks, which are then clicked by unsuspecting users, sending the data to attacker-controlled domains.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN -14-day free trial

Microsoft 365 Copilot and Prompt Injections

Microsoft Copilot, an AI-powered assistant, is vulnerable to prompt injection attacks from third-party content.

This vulnerability was demonstrated earlier this year, highlighting the potential for data integrity and availability loss.

A notable example involved a Word document tricking Copilot into acting as a scammer, showcasing how easily the tool can be manipulated.

Prompt injection remains a significant challenge, as no comprehensive fix exists. This vulnerability underscores the importance of the disclaimers often seen in AI applications, warning users of potential inaccuracies in AI-generated content.

The vulnerability is exacerbated by Copilot’s ability to invoke tools automatically based on the injected prompts.

This feature, intended to enhance productivity, becomes a double-edged sword when exploited by attackers.

Copilot was tricked into searching for Slack MFA codes in one instance, demonstrating how sensitive information could be accessed without user consent.

Copilot searches for Slack MFA codes (source:Embrace The Red)
Copilot searches for Slack MFA codes (source:Embrace The Red)

This automatic tool invocation creates a pathway for attackers to bring additional sensitive content into the chat context, increasing the risk of data exposure.

This process’s lack of user oversight highlights a critical security gap that needs addressing.

Data Exfiltration and Mitigation Efforts

The final step in the exploit chain is data exfiltration. With control over Copilot and access to additional data, attackers can embed hidden data within hyperlinks using ASCII smuggling.

When users click these links, the data is sent to external servers, completing the exfiltration process.

To mitigate this risk, the researcher recommended several measures to Microsoft, including disabling Unicode tag interpretation and preventing hyperlink rendering.

While Microsoft has implemented some fixes, the specifics remain undisclosed. Links are no longer rendered, suggesting a partial resolution to the vulnerability.

Malicious Email with Prompt Injection (source:Embrace The Red)
Malicious Email with Prompt Injection (source:Embrace The Red)

Microsoft’s response to the vulnerability has been partially effective, with some exploits no longer functioning.

However, the lack of detailed information about the fixes and their implementation leaves room for concern.

The researcher has expressed a desire for Microsoft to share its mitigation strategies with the industry to enhance collective security efforts.

The Microsoft Copilot vulnerability highlights the complex challenges of securing AI-driven tools. While progress has been made, continued collaboration and transparency are essential to safeguarding against future exploits.

As the industry grapples with these issues, users must remain aware of the potential risks and proactively protect their data.

Protect Your Business with Cynet Managed All-in-One Cybersecurity Platform – Try Free Trial



Source link