New attack turned Microsoft 365 Copilot into 1-click data theft tool
Security researchers have demonstrated a novel attack that transforms Microsoft 365 Copilot into a one-click data theft tool. The attack leverages Copilot's deep integration with Microsoft 365 services, enabling an attacker to exfiltrate sensitive data from an organization's environment with a single click. By exploiting the trust and permissions granted to Copilot, the attacker can prompt the AI assistant to retrieve and transmit confidential information, bypassing traditional security controls. The attack does not require sophisticated exploits or malware; instead, it abuses the legitimate functionality of Copilot to perform data theft. This highlights a new class of threats where AI assistants, designed to increase productivity, can be turned against their users. The researchers demonstrated the attack in a controlled environment, showing how an attacker could steal emails, documents, and other data stored in Microsoft 365. The consequence is that organizations using Microsoft 365 Copilot may face increased risk of data exfiltration if attackers gain access to a user's account or can trick the AI into performing malicious actions.
Attackers can abuse Microsoft 365 Copilot to steal data with a single click, bypassing security controls.