"Microsoft 365 Copilot Vulnerability Exposes User Data Risks"

Cybersecurity researcher Johann Rehberger has disclosed a vulnerability he found in Microsoft 365 Copilot that allows attackers to steal users' sensitive information. According to Rehberger, the exploitation of this flaw involves several advanced techniques, including prompt injection, automatic tool invocation, and ASCII smuggling. The attack starts with a prompt injection through a malicious email or shared document. This injection prompts Microsoft 365 Copilot to search for additional emails and documents without consent from the user. The attacker can then perform ASCII smuggling in which invisible Unicode characters are used to embed sensitive information in what appears to be harmless hyperlinks. When these links are clicked, the embedded data is sent to a third-party server controlled by the attacker. This article continues to discuss the potential exploitation and impact of the Microsoft 365 Copilot vulnerability.

Infosecurity Magazine reports "Microsoft 365 Copilot Vulnerability Exposes User Data Risks"

Submitted by grigby1