Microsoft has revealed a new side-channel attack targeting remote large language models, allowing a passive adversary who merely observes encrypted network traffic to infer the topic of a user’s conversation with an AI, even when HTTPS is employed. The technique has been named Whisper Leak.
According to the company, the vulnerability affects streaming LLMs—models that transmit their responses in fragments as they are generated. While this method improves user experience by eliminating the need to wait for a complete response, it also exposes subtle patterns that can reveal the context of the conversation. Microsoft notes that this poses a significant privacy risk for both individual and corporate users.
Researchers Jonathan Bar-Or and Jeff McDonald from the Microsoft Defender Security Research Team explained that the attack becomes feasible when a sophisticated adversary gains access to the network traffic. Such an attacker might operate at the ISP level, within the same local network, or even on a shared Wi-Fi connection. Although TLS encryption prevents direct access to message content, the attacker can still analyze packet sizes and timing intervals, which are sufficient for a trained model to determine whether the conversation aligns with one of several predefined topics.
In essence, the attack leverages the sequence of encrypted packet sizes and transmission timings generated during a streaming LLM response. Microsoft validated this hypothesis experimentally, training a binary classifier capable of distinguishing topic-specific queries from general background traffic. Using three different machine learning approaches—LightGBM, Bi-LSTM, and BERT—the researchers achieved accuracy rates exceeding 98% across models such as Mistral, xAI, DeepSeek, and OpenAI. This means that an observer passively monitoring traffic to popular chatbots could reliably identify conversations involving sensitive subjects.
Microsoft further warned that at scale—such as within an ISP or government monitoring system—this technique could be used to identify users discussing topics like money laundering, political dissent, or other regulated subjects, even though all exchanges remain encrypted.
The authors noted a particularly troubling detail: the longer an attacker collects training data and the more conversation samples they obtain, the more accurate the classification becomes. This gradually transforms Whisper Leak from a theoretical vulnerability into a practical surveillance tool. Following responsible disclosure, OpenAI, Mistral, Microsoft, and xAI have all implemented mitigation measures.
One of the most effective defenses involves appending randomized text sequences of variable length to model outputs, thereby obscuring the correlation between token length and packet size—a disruption that neutralizes the information leak. Microsoft also advises privacy-conscious users to avoid discussing sensitive topics on untrusted networks, to use VPNs whenever possible, to prefer non-streaming LLM variants, and to work with providers that have already deployed protective mechanisms.
In parallel, Cisco released an independent security assessment of eight open-weight LLMs from Alibaba, DeepSeek, Google, Meta, Microsoft, Mistral, OpenAI, and Zhipu AI. Their findings revealed that such models tend to degrade in multi-turn conversations, becoming easier to manipulate during extended sessions. Models optimized for raw performance rather than safety demonstrated higher susceptibility to multi-step attacks. This aligns with Microsoft’s conclusion that organizations integrating open-source LLMs into their workflows must implement additional security layers, conduct regular red teaming, and enforce strict system prompt policies.
Collectively, these studies underscore that LLM security remains an unfinished endeavor. While encryption protects content, it does not always conceal behavioral patterns. As a result, developers and enterprises must begin accounting for these side-channel risks, particularly when handling sensitive data or operating in environments where traffic observation by third parties is possible.