Microsoft patched a vulnerability rated as max critical in its M365 Copilot AI platform last Tuesday. On Monday, researchers from security firm Varonis who discovered the vulnerability revealed how their proof-of-concept exploit could retrieve two-factor authentication codes and other sensitive data from emails accessible to Copilot. The root cause stems from AI bots' inability to distinguish between instructions provided by users and those embedded in third-party content the models process, leaving Microsoft and other LLM providers unable to prevent their products from complying with malicious data-retrieval requests.
Varonis Researchers Bypass Copilot Guardrails Using Markup Language
Microsoft built guardrails into Copilot to prevent the LLM from submitting web forms, sending emails, and taking similar actions that could exfiltrate user data. Varonis researchers worked around these restrictions using markup language, which allows adding formatting elements such as headings, lists, and links to text without HTML tags. Another workaround involved wrapping sensitive data inside HTML tags such as
and