A single click mounted a covert, multistage attack against Copilot

Microsoft has addressed a significant security flaw in its Copilot AI assistant, which permitted malicious actors to extract sensitive user information through a seemingly harmless URL click. This breach was uncovered by ethical hackers from the security firm Varonis, who successfully executed a multistage attack that revealed personal data such as user names, locations, and details from the Copilot chat history. The exploit was particularly alarming as it continued to operate even after the user closed the Copilot chat window, requiring no further interaction beyond the initial click on the link included in an email. This method of attack was able to bypass enterprise endpoint security measures, evading detection by various endpoint protection applications. Dolev Taler, a security researcher at Varonis, explained the mechanics of the attack, stating, "Once we deliver this link with this malicious prompt, the user just has to click on the link and the malicious task is immediately executed." He emphasized that even if the user closed the Copilot tab right after clicking the link, the exploit would still be effective. The harmful URL directed users to a Varonis-owned domain, with a series of complex instructions appended as a parameter. These parameters were utilized by Copilot and similar language models to process URLs directly within user prompts. When activated, the parameter led Copilot Personal to incorporate personal user details into web requests. The crafted prompt, disguised as a riddle, extracted sensitive information such as a user password and sent it to the Varonis-controlled server. The attack did not stop there; the disguised image file contained additional instructions aimed at gathering further details, including the user's name and location, which were also transmitted through URLs opened by Copilot.