Microsoft 365 Copilot, the AI chatbot designed for enterprise use within Office applications, has been identified as having a vulnerability that could be exploited without user interaction. A cybersecurity firm has revealed a flaw that could be activated through a simple text email, allowing unauthorized access to retrieve sensitive data from users’ devices. Microsoft confirmed that it has addressed the issue and asserted that no users experienced any adverse effects from the vulnerability.
Researchers Detect Zero-Click Vulnerability in Copilot
In a recent blog post, cybersecurity startup Aim Security outlined the zero-click exploit and its execution. This type of attack allows hackers to infiltrate systems without requiring victims to download files or click on links; simply opening an email can trigger such an attack.
The findings from Aim Security illustrate the potential dangers associated with AI chatbots, particularly those equipped with agentic capabilities that let them perform actions autonomously, such as accessing OneDrive to fetch data in response to user inquiries.
According to the researchers, the attack utilized cross-prompt injection attack (XPIA) techniques, which involve manipulating inputs across various prompts or sessions to alter the behavior of the AI. Attackers can embed malicious content through attached files, hidden text, or incorporated instructions.
The XPIA method was demonstrated not only through email but also via images by embedding harmful commands in the alt text, and even through Microsoft Teams by executing a GET request to a malicious URL. While the first two techniques necessitate user interaction regarding the email or image, the latter permits the hacking process to commence without any action from the user.
The authors of the post noted, “The attack allows the perpetrator to extract the most sensitive data from the current large language model (LLM) context, effectively turning the LLM against itself by ensuring that the critical data is leaked without relying on specific user behavior. This can occur in both one-off and multi-turn conversations.”
A Microsoft spokesperson acknowledged the vulnerability and expressed gratitude to Aim Security for identifying and reporting it, as noted in a Fortune report. The issue has since been resolved, with the company confirming that no users were impacted.
