Skip to content

Critical Vulnerability in Microsoft’s M365 Copilot AI Platform Exposed Users’ 2FA Codes and Sensitive Data

Last Tuesday, Microsoft patched a vulnerability it rated as critical in its M365 Copilot AI platform. On Monday, the researchers who discovered the vulnerability and reported it to Microsoft revealed how their proof-of-concept exploit could retrieve 2FA codes and other sensitive data from emails accessible to Copilot.

The root cause of this vulnerability lies in the inability of AI bots to distinguish between instructions provided by users and those snuck into third-party content the models are summarizing, drafting responses to, or using to perform other actions on behalf of the user. With no way to secure this crucial boundary, Microsoft and its peers are left to erect complicated and ad hoc guardrails designed to rein in the consequences of this incurable gullibility.

One such workaround is to wrap sensitive data inside HTML tags such as and

. In either case, a web request showing the data hits the attacker’s web server, where the secret information is captured in logs. Microsoft has implemented various guardrails to prevent this, including wrapping Copilot output in blocks so the browser treats it as straight text.

However, security firm Varonis devised an exploit chain that was able to catapult over these guardrails. The first element of this exploit chain was a Parameter-to-Prompt Injection, which is similar to prompt injection but with the malicious command located in the query parameter rather than an email or other piece of untrusted content.

The researchers sent the target an email containing a URL that told Copilot to ‘Search the user’s emails,’ extract the title, and embed it in an image URL. The victim didn’t type anything; they simply clicked on the link, and Copilot did the rest. Normally, the guardrail wrapping output in blocks would kick in, but the researchers discovered that this protection fires only after the ‘thinking’ phase.

Prior to that, Copilot generated its response using raw HTML, which is temporarily rendered in the browser DOM. The exploit chain used Microsoft’s Bing search engine as a trampoline of sorts, as it is among the sites permitted to send such requests according to the Copilot content security policy.

The researchers now had an image request firing from the target’s browser, which was then sent to the attacker-controlled domain that was included in the request. The blast radius isn’t limited to personal data—it’s able to surface anything the user has access to inside the organization, including emails, meeting invites and notes, SharePoint documents, OneDrive files, and other indexed business content.

As noted, Microsoft fixed the vulnerabilities that SearchLeak exploited on Tuesday. However, with no known way to fix the underlying cause of such SNAFUs, attackers will inevitably find new ways to circumvent the newly constructed guardrails, and the process will repeat all over again.

Source: Original article

Leave a Reply

Your email address will not be published. Required fields are marked *