Microsoft 365 Copilot was found to be vulnerable to a sophisticated data exfiltration attack leveraging Mermaid diagrams and indirect prompt injection. The vulnerability allowed an attacker to trick the AI assistant into retrieving sensitive tenant data—such as recent emails—and exfiltrating it via a maliciously crafted mermaid diagram. The attack began with a specially crafted Excel document containing hidden, nested instructions in white text. These instructions used indirect prompt injection techniques to manipulate M365 Copilot’s behavior. The first page instructed the model to ignore its content and instead check the second sheet. The second sheet contained progressive task modification commands that redirected the model’s focus from summarizing financial data to generating a fake login prompt. When asked to summarize the document, M365 Copilot executed a series of unintended actions. It used the search_enterprise_emails tool to retrieve the user’s recent emails, hex encoded the entire output, and split the encoded string into lines of no more than 30 characters to avoid triggering Mermaid’s line length limits. It then generated a Mermaid diagram that visually resembled a login button, complete with CSS styling to make it appear interactive. The diagram included a clickable hyperlink pointing to the attacker’s server, with the hex-encoded email data appended as a query parameter. When a user clicked the diagram, the browser would navigate to the attacker’s endpoint, sending the sensitive data in plain text within the URL. The attacker could then decode the hex string from server logs to recover the full email content. This attack was possible because M365 Copilot supports dynamic rendering of Mermaid diagrams and allows hyperlinks within them. Although the diagrams themselves are rendered in the chat interface, the clickable links were not properly sanitized or restricted, enabling data exfiltration. The researcher, Adam Logue, discovered this vulnerability after attending the 2025 MSRC Researcher Celebration Party at DEFCON, where he learned that M365 Copilot was initially out of scope for bug bounties. This prompted him to refine the exploit by combining it with a reliable indirect prompt injection technique, which he developed using insights from Microsoft’s own research on task drift detection, including the TaskTracker methodology. After multiple submissions and video proof-of-concept demonstrations, Microsoft confirmed the vulnerability on September 8, 2025, and began mitigation efforts. By September 26, the issue was resolved. Microsoft patched the vulnerability by disabling interaction with dynamic content in Mermaid diagrams, including the ability to follow hyperlinks embedded within them. Despite the successful resolution, MSRC ultimately determined that M365 Copilot was out of scope for bounty rewards at the time of disclosure. Nevertheless, the researcher’s detailed report and coordinated disclosure contributed significantly to improving the security of Microsoft’s AI products. The full findings were published on October 21, 2025, after approval from Microsoft.