Summarize

Simplifying... Inshort

Microsoft's chatbot, Copilot, is under scrutiny for potential cybersecurity threats.
Hackers could exploit its features to extract sensitive data and conduct AI-driven social engineering attacks.
A tool named "LOLCopilot" has been developed to simulate these attacks and highlight the inadequacy of Copilot's default security settings.

Was a long read? Making it simpler...

Next Article

Security flaws discovered in Microsoft Copilot

Copilot users beware! Microsoft's chatbot is vulnerable to cyberattacks

By Akash Pandey

Aug 10, 2024

12:53 pm

What's the story

At the recent Black Hat USA conference, security researcher Michael Bargury exposed significant vulnerabilities in Microsoft's artificial intelligence (AI) tool, Copilot. Bargury demonstrated how these weaknesses could be exploited by cybercriminals for malicious activities. This finding underscores the need for organizations to implement robust security practices, and educate their workers about potential risks associated with AI tools like Copilot.

Exploitation methods

Copilot plugins: A gateway for cyberattacks

Bargury detailed several strategies that could be used by attackers to exploit Copilot for cyberattacks. One significant disclosure was the potential misuse of Copilot plugins to install backdoors in other users' interactions. This could facilitate data theft and enable AI-driven social engineering attacks, highlighting a new dimension of cybersecurity threats.

Data extraction

Hackers can manipulate chatbot to extract sensitive data

Bargury revealed that hackers could manipulate Copilot's capabilities to covertly search for and extract sensitive data. This bypasses traditional security precautions that focus on file and data protection. The process involves altering Copilot's behavior through prompt injections, which alters the AI's responses to suit the hacker's objectives, further complicating cybersecurity efforts.

Integration risks

Copilot's integration with Microsoft 365: A double-edged sword

Microsoft developed Copilot to simplify tasks by integrating with Microsoft 365 applications. However, Bargury showed how this feature could be manipulated for malicious activities. He warned of the tool's potential to facilitate AI-based social engineering attacks, where hackers could use Copilot to create convincing phishing emails or manipulate interactions, tricking users into disclosing confidential information.

Attack simulation

LOLCopilot: A tool to simulate attacks

To illustrate these vulnerabilities, Bargury demonstrated a red-teaming tool named "LOLCopilot." This tool is designed for ethical hackers to simulate attacks and mitigate the possible threats posed by Copilot. LOLCopilot operates inside any Microsoft 365 Copilot-enabled tenant using default configurations, permitting ethical hackers to analyze how Copilot can be misused for data exfiltration and cyberattacks, without leaving traces in system logs.

Information

Copilot's default security settings deemed insufficient

Bargury's demonstration revealed that Copilot's default security settings are inadequate to prevent such exploits. The tool's ability to access/process large amounts of data poses a huge risk, especially if permissions are not carefully managed.