Home / Technology / Microsoft AI Copilot Leaks 2FA Codes
Microsoft AI Copilot Leaks 2FA Codes
16 Jun
Summary
- Exploit retrieves 2FA codes and sensitive email data from Copilot.
- Attackers use markup and HTML to bypass AI guardrails.
- Microsoft patched the 'SearchLeak' vulnerability last Tuesday.
Last Tuesday, Microsoft addressed a critical vulnerability in its M365 Copilot AI platform that allowed for the exfiltration of sensitive data. Researchers revealed that their proof-of-concept exploit could retrieve two-factor authentication (2FA) codes and other confidential information from emails accessible via Copilot.
The core issue stems from AI models' difficulty in differentiating user commands from malicious instructions embedded within third-party content. Attackers exploited this by using markup languages and HTML tags to trick Copilot into sending data to external servers.
Security firm Varonis devised an exploit chain called 'SearchLeak.' This attack used a "Parameter-to-Prompt Injection" by embedding malicious commands within a URL's query parameter. When a user clicked a crafted link, Copilot would search emails, extract titles, and embed them into image URLs directed to an attacker-controlled domain.
This bypasses guardrails that typically wrap Copilot's output in code blocks. The exploit exploited a window where Copilot rendered raw HTML before these protections activated. Microsoft's Bing search engine was used as a trampoline to send image requests to unauthorized domains, a feature permitted by Copilot's content security policy.
The 'SearchLeak' attack targeted Microsoft's Enterprise tier, potentially exposing emails, meeting invites, notes, SharePoint documents, and OneDrive files. Microsoft has since patched the vulnerabilities, but the underlying issue of AI's susceptibility to prompt injection remains a challenge.
