Sneaky Mermaid Attack in Microsoft 365 Copilot Steals Data

Microsoft fixed a security vulnerability in Microsoft 365 Copilot that allowed data theft through indirect prompt injection attacks. A researcher discovered the flaw leveraging Mermaid diagrams, enabling sensitive email data to be exfiltrated. Microsoft confirmed the patch but did not award the researcher a bug bounty since Copilot is not eligible for their reward program.

https://www.theregister.com/2025/10/24/m365_copilot_mermaid_indirect_prompt_injection/

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top