Microsoft 365 Copilot AI Command Injection Information Disclosure Vulnerability
Vulnerability
A vulnerability allowing AI command injection in Microsoft 365 Copilot has been identified. This issue enables an unauthorized attacker to disclose information over a network. The vulnerability arises from how Copilot processes certain commands, potentially leading to the exfiltration of sensitive data.
Impact
Exploitation of this vulnerability could result in unauthorized information disclosure. An attacker could manipulate Copilot into generating phishing messages that appear legitimate, prompting users to click on links that could lead to data theft or exposure to malicious websites.
Remediation
Users can download the security update for Microsoft 365 Copilot for Android or iOS from the respective app stores. The update is also available for Microsoft 365 Copilot for Mac. For Outlook, Word, Excel, PowerPoint, OneNote, Teams, and Power BI on both iOS and Android, security updates can be downloaded from the Microsoft Update Catalog.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.