Sneaky Mermaid attack in Microsoft 365 Copilot steals data (www.theregister.com)

Researcher Adam Logue discovered and responsibly disclosed a prompt‑injection flaw in Microsoft 365 Copilot — dubbed the "Sneaky Mermaid" attack — that Microsoft says it has patched. The exploit used an indirect prompt injection hidden inside an innocuous "summarize this document" request: Copilot’s support for Mermaid diagrams (which also accepts CSS and links) was abused to embed a payload that invoked Copilot’s search_enterprise_emails tool to fetch recent tenant emails, hex‑encode and chunk the results, then render them inside a seemingly benign diagram. The diagram contained a fake “login” button whose CSS-linked URL pointed to an attacker‑controlled server (Logue’s Burp Collaborator). When a user clicked the button, the hex data was exfiltrated and could be decoded and abused. The case is significant because it shows how integrations that render rich markup or external links (Mermaid + CSS) expand the attack surface for indirect prompt injections, turning generated UI elements into exfiltration channels. Microsoft says customers need not take action and declined to disclose patch details; Logue verified the fix but won’t receive a bounty because M365 Copilot is currently out of scope for Microsoft’s reward program. The incident underscores the need for stricter output sanitization, cautious handling of model-invoked tools (like enterprise search), and broader bug‑bounty coverage as assistants gain richer rendering and tool integrations.