Cyber security news for all

More

    Microsoft Patches ASCII Smuggling Vulnerability in Microsoft 365 Copilot

    Microsoft has addressed a critical vulnerability in Microsoft 365 Copilot that allowed attackers to steal sensitive information through a technique known as ASCII smuggling.

    Security researcher Johann Rehberger explained that ASCII smuggling involves using special Unicode characters that resemble ASCII but are not visible in the user interface. This allows attackers to embed hidden data within clickable links that appear normal to users.

    The attack chain consists of several steps:

    1. Prompt Injection: Malicious content hidden in a document shared in chat triggers prompt injection.
    2. Data Harvesting: The prompt injection payload instructs Copilot to search for additional emails and documents.
    3. Data Exfiltration: ASCII smuggling is used to lure users into clicking links that exfiltrate valuable data to a third-party server.

    This flaw could potentially expose sensitive information such as multi-factor authentication (MFA) codes. Microsoft has addressed the vulnerability following a responsible disclosure in January 2024.

    Additionally, proof-of-concept (PoC) attacks have demonstrated the manipulation of Copilot responses, private data exfiltration, and evasion of security measures. Methods include retrieval-augmented generation (RAG) poisoning, indirect prompt injection leading to remote code execution, and using Copilot for phishing.

    Microsoft has also noted the risk posed by publicly exposed Copilot bots created without authentication, which could be exploited by attackers with prior knowledge of the Copilot name or URL.

    Enterprises are advised to assess their risk and enhance security controls, including Data Loss Prevention, to mitigate potential leaks from Copilot systems.

    Recent Articles

    Related Stories