Sign up to save your podcasts
Or
Share Hijacking Microsoft Copilot AI
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Hijacking Microsoft Copilot AI
"Send me a quick text"
Episode Description – Technical Write-up for Defenders
EchoLeak is the first documented zero-click AI vulnerability in a major enterprise LLM application — Microsoft 365 Copilot.
The attacker seeds malicious instructions inside a normal-looking email, bypassing Microsoft’s prompt-injection filters.
When a user later asks a related question, Copilot retrieves that email, executes the hidden commands, and packages sensitive corporate data for exfiltration. Bypassing link redaction and CSP rules, the attacker silently sends the data out through trusted Microsoft services.
Persistence is achieved through “RAG spraying,” embedding the malicious instructions across multiple semantic chunks to maximize retrieval chances over time.
Defensive Actions
• Test AI prompt-injection classifiers, link filtering, and CSP enforcement in combination, not isolation.
• Monitor AI assistant retrieval logs for unusual cross-context content use.
• Implement strict scope enforcement so untrusted content cannot trigger privileged actions.
• Scan indexed content stores for embedded malicious instructions or unusual markdown patterns.
• Block unauthorized retrievals from trusted internal services to external destinations.
Potential IOCs
- Emails containing hidden markdown reference-style links
- External requests routed through Microsoft media or rendering services
- AI retrievals from HR, onboarding, or FAQ content containing unrelated data instructions
Recommended Detection Focus
- Alerts on Copilot responses containing embedded URLs or encoded data
- Monitoring outbound requests from Microsoft services carrying sensitive information
- Content scanning for prompt injection patterns inside indexed data
Thanks for spending a few minutes on the CyberBrief Project.
If you want to dive deeper or catch up on past episodes, head over to cyberbriefproject.buzzsprout.com.
You can also find the podcast on YouTube at youtube.com/@CyberBriefProject — I’d love to see you there.
And if you find these episodes valuable and want to support the project, you can do that here: buzzsprout.com/support
Your support means a lot.
See you in the next one, and thank you for listening.
View all episodes
By Meni Tasa"Send me a quick text"
Episode Description – Technical Write-up for Defenders
EchoLeak is the first documented zero-click AI vulnerability in a major enterprise LLM application — Microsoft 365 Copilot.
The attacker seeds malicious instructions inside a normal-looking email, bypassing Microsoft’s prompt-injection filters.
When a user later asks a related question, Copilot retrieves that email, executes the hidden commands, and packages sensitive corporate data for exfiltration. Bypassing link redaction and CSP rules, the attacker silently sends the data out through trusted Microsoft services.
Persistence is achieved through “RAG spraying,” embedding the malicious instructions across multiple semantic chunks to maximize retrieval chances over time.
Defensive Actions
• Test AI prompt-injection classifiers, link filtering, and CSP enforcement in combination, not isolation.
• Monitor AI assistant retrieval logs for unusual cross-context content use.
• Implement strict scope enforcement so untrusted content cannot trigger privileged actions.
• Scan indexed content stores for embedded malicious instructions or unusual markdown patterns.
• Block unauthorized retrievals from trusted internal services to external destinations.
Potential IOCs
- Emails containing hidden markdown reference-style links
- External requests routed through Microsoft media or rendering services
- AI retrievals from HR, onboarding, or FAQ content containing unrelated data instructions
Recommended Detection Focus
- Alerts on Copilot responses containing embedded URLs or encoded data
- Monitoring outbound requests from Microsoft services carrying sensitive information
- Content scanning for prompt injection patterns inside indexed data
Thanks for spending a few minutes on the CyberBrief Project.
If you want to dive deeper or catch up on past episodes, head over to cyberbriefproject.buzzsprout.com.
You can also find the podcast on YouTube at youtube.com/@CyberBriefProject — I’d love to see you there.
And if you find these episodes valuable and want to support the project, you can do that here: buzzsprout.com/support
Your support means a lot.
See you in the next one, and thank you for listening.