Zero-click AI vulnerability in M365 Copilot
Aim Labs has uncovered “EchoLeak,” a critical zero-click AI vulnerability affecting Microsoft 365 Copilot, enabling attackers to automatically extract sensitive data without user interaction. This novel exploit, termed “LLM Scope Violation,” bypasses existing security measures and highlights the inherent risks in AI agent design. Aim Labs continues its research to develop mitigation strategies for such emerging AI security threats.
Points clés
- Aim Labs identified “EchoLeak,” a zero-click AI vulnerability in Microsoft 365 Copilot.
- The attack chain allows automatic exfiltration of sensitive data from M365 Copilot’s context.
- The vulnerability does not require user awareness or specific victim behavior.
- An attacker can initiate the exploit by sending an email to the victim.
- The vulnerability is a manifestation of “LLM Scope Violation.”
- M365 Copilot is a RAG-based chatbot that uses OpenAI’s GPT.
- The attack chain involves bypassing XPIA classifiers, link redaction, and Content-Security-Policy.
- Exploitation methods include “RAG spraying” and leveraging the LLM Scope Violation.
- Microsoft has confirmed no customers were affected.
- Aim Labs has developed real-time guardrails to protect against LLM scope violation vulnerabilities.
À retenir
So, it turns out that even our fancy AI assistants, like Microsoft’s M365 Copilot, aren’t immune to a good old-fashioned email trick. Apparently, sending a cleverly worded email is all it takes for someone to potentially snoop on your sensitive data. Who knew that the biggest threat to cutting-edge AI would be… email? Maybe it’s time to go back to carrier pigeons; they seem less susceptible to “LLM Scope Violations.”
Sources
