A vulnerability in Microsoft 365 Copilot that allowed attackers to steal customers’ delicate info has been disclosed by a cybersecurity researcher.
Johann Rehberger, who found the flaw, described the exploit chain in a weblog publish printed on August 26. The assault combines a number of superior methods, together with prompt injection, automated software invocation and a novel technique referred to as ASCII smuggling, which phases information for exfiltration.
The assault begins with a immediate injection delivered by a malicious electronic mail or shared doc. As soon as triggered, this injection prompts Microsoft 365 Copilot to seek for extra emails and paperwork with out consumer consent.
The attacker can then leverage ASCII smuggling, which makes use of invisible Unicode characters to embed delicate info inside seemingly benign hyperlinks. When a consumer clicks on these hyperlinks, the embedded information is transmitted to a third-party server managed by the attacker.
Vulnerability Report and Microsoft Patch
Rehberger initially reported the vulnerability to Microsoft in January 2024. Regardless of its refined nature, the difficulty was initially labeled as low severity. Nonetheless, Rehberger demonstrated how this exploit chain might exfiltrate delicate information, resembling multi-factor authentication (MFA) codes, prompting Microsoft to rethink and ultimately patch the vulnerability by July 2024.
Read more on Microsoft patches: Microsoft Fixes Four Zero-Days in July Patch Tuesday
Based on the researcher, the vulnerability highlights the potential dangers posed by AI tools like Microsoft 365 Copilot, which depend on giant language fashions (LLMs) for processing consumer content material.
Particularly, the incident underscores the significance of implementing strong safety measures to guard in opposition to immediate injection and associated assaults, notably as AI instruments turn into increasingly integrated into enterprise environments.
Microsoft has not disclosed the specifics of the patch, however Rehberger confirmed that the vulnerability not poses a risk.
“It’s unclear how precisely Microsoft mounted the vulnerability and what mitigation suggestions had been applied,” the researcher wrote. “However the exploits I constructed and shared with them in January and February don’t work anymore, and it appeared that hyperlinks will not be rendered anymore since a couple of months in the past.”
To defend in opposition to comparable assaults, Rehberger instructed enterprises assess their danger tolerance and publicity to stop information leaks from Copilot and implement information loss prevention (DLP) and different safety controls to handle the creation and publication of those instruments.
Picture credit score: Mamun sheikh Okay / Shutterstock.com
