Cybersecurity researchers have found a way to force Microsoft 365 Copilot to collect sensitive data, such as passwords, and send it to malicious third parties using “ASCII smuggling.”
The ASCII smuggling attack required three things: Copilot for Microsoft 365 to read the contents of an email or attachment; access to additional programs, such as Slack; and being able to “smuggle” the message with “special Unicode characters that reflect ASCII but are not actually visible in the user interface.”
As indicated by researchers at Embrace the redThe company, which found the flaw, explains that Microsoft 365 Copilot can be told to read and analyze the content of incoming email messages and attachments. If that email or attachment tells Microsoft 365 Copilot to look for passwords, email addresses, or other sensitive data in Slack or elsewhere, it will do as instructed.
Hidden indications and invisible texts
Ultimately, if such a malicious message is hidden in an attachment or email using special Unicode characters that make it invisible to the victim, they may end up unwittingly telling their AI chatbot to hand over sensitive data to malicious third parties.
To prove their point, the researchers shared exploit demos with Microsoft, showing how sensitive data such as sales numbers and multi-factor authentication (MFA) codes can be leaked and then decoded.
“Email is not the only delivery method for such exploits. Forced document sharing or RAG retrieval can also be used as quick injection methods,” the report concludes.
In the paper, the researchers recommended that Copilot 365 stop interpreting or rendering Unicode tag code points.
“The presentation of clickable hyperlinks will enable phishing and scams (as well as data exfiltration),” the report concludes. “Automatic invocation of tools is problematic as long as there are no solutions for message injection, as an adversary can invoke tools in this manner and (1) introduce sensitive information into the context of the message and (2) likely also invoke actions.”
Microsoft has already addressed the issue.