Microsoft fixed a security vulnerability in Microsoft 365 Copilot that allowed data theft through indirect prompt injection attacks. A researcher discovered the flaw leveraging Mermaid diagrams, enabling sensitive email data to be exfiltrated. Microsoft confirmed the patch but did not award the researcher a bug bounty since Copilot is not eligible for their reward program.
https://www.theregister.com/2025/10/24/m365_copilot_mermaid_indirect_prompt_injection/

