No Result
View All Result
Global Finances Daily
  • Alternative Investments
  • Crypto
  • Financial Markets
  • Investments
  • Lifestyle
  • Protection
  • Retirement
  • Savings
  • Work & Careers
No Result
View All Result
  • Alternative Investments
  • Crypto
  • Financial Markets
  • Investments
  • Lifestyle
  • Protection
  • Retirement
  • Savings
  • Work & Careers
  • Login
Global Finances Daily
No Result
View All Result
Home Protection

How to Weaponize Microsoft Copilot for Cyberattackers

August 9, 2024
in Protection
0
How to Weaponize Microsoft Copilot for Cyberattackers


BLACK HAT USA – Las Vegas – Thursday, Aug. 8 – Enterprises are implementing Microsoft’s Copilot AI-based chatbots at a rapid pace, hoping to transform how employees gather data and organize their time and work. But at the same time, Copilot is also an ideal tool for threat actors.

Security researcher Michael Bargury, a former senior security architect in Microsoft’s Azure Security CTO office and now co-founder and chief technology officer of Zenity, says attackers can use Copilot to search for data, exfiltrate it without producing logs, and socially engineer victims to phishing sites even if they don’t open emails or click on links.

Today at Black Hat USA in Las Vegas, Bargury demonstrated how Copilot, like other chatbots, is susceptible to prompt injections that enable hackers to evade its security controls.

The briefing, Living off Microsoft Copilot, is the second Black Hat presentation in as many days for Bargury. In his first presentation on Wednesday, Bargury demonstrated how developers could unwittingly build Copilot chatbots capable of exfiltrating data or bypassing policies and data loss prevention controls with Microsoft’s bot creation and management tool, Copilot Studio.

A Red-Team Hacking Tool for Copilot

Thursday’s follow-up session focused on various risks associated with the actual chatbots, and Bargury released an offensive security toolset for Microsoft 365 on GitHub. The new LOLCopilot module, part of powerpwn, is designed for Microsoft Copilot, Copilot Studio, and Power Platform.

Bargury describes it as a red-team hacking tool to show how to change the behavior of a bot, or “copilot” in Microsoft parlance, through prompt injection. There are two types: A direct prompt injection, or jailbreak, is where the attacker manipulates the LLM prompt to alter its output. With indirect prompt injections, attackers modify the data sources accessed by the model.

Using the tool, Bargury can add a direct prompt injection to a copilot, jailbreaking it and modifying a parameter or instruction within the model. For instance, he could embed an HTML tag into an email to replace a correct bank account number with that of the attacker, without changing any of the reference information or altering the model with, say, white text or a very small font.

“I’m able to manipulate everything that Copilot does on your behalf, including the responses it provides for you, every action that it can perform on your behalf, and how I can personally take full control of the conversation,” Bargury tells Dark Reading.

Further, the tool can do all of this undetected. “There is no indication here that this comes from a different source,” Bargury says. “This is still pointing to valid information that this victim actually created, and so this thread looks trustworthy. You don’t see any indication of a prompt injection.”

RCE = Remote “Copilot” Execution Attacks

Bargury describes Copilot prompt injections as tantamount to remote code-execution (RCE) attacks. While copilots don’t run code, they do follow instructions, perform operations, and create compositions from those actions.

“I can enter your conversation from the outside and take full control of all of the actions that the copilot does on your behalf and its input,” he says. “Therefore, I’m saying this is the equivalent of remote code execution in the world of LLM apps.”

During the session, Bargury demoed what he describes as remote Copilot executions (RCEs) where the attacker:

Bargury isn’t the only researcher who has studied how threat actors could attack Copilot and other chatbots with prompt injection. In June, Anthropic detailed its approach to red team testing of its AI offerings. And for its part, Microsoft has touted its red team efforts on AI security for some time.

Microsoft’s AI Red Team Strategy

In recent months, Microsoft has addressed newly surfaced research about prompt injections, which come in direct and indirect forms.

Mark Russinovich, Microsoft Azure’s CTO and technical fellow, recently discussed various AI and Copilot threats at the annual Microsoft Build conference in May. He emphasized the release of Microsoft’s new Prompt Shields, an API designed to detect direct and indirect prompt injection attacks.  

“The idea here is that we’re looking for signs that there are instructions embedded in the context, either the direct user context or the context that is being fed in through the RAG [retrieval-augmented generation], that could cause the model to misbehave,” Russinovich said.

Prompt Shields is among a collection of Azure tools Microsoft recently launched that are designed for developers to build secure AI applications. Other new tools include Groundedness Detection to detect hallucinations in LLM outputs, and Safety Evaluation to detect an application’s susceptibility to jailbreak attacks and creating inappropriate content.

Russinovich also noted two other new tools for security red teams: PyRIT (Python Risk Identification Toolkit for generative AI), an open source framework that discovers risks in generative AI systems. The other, Crescendomation, automates Crescendo attacks, which produce malicious content. Further, he announced Microsoft’s new partnership with HiddenLayer, whose Model Scanner is now available to Azure AI to scan commercial and open source models for vulnerabilities, malware or tampering.

The Need for Anti-“Promptware” Tooling

While Microsoft says it has addressed those attacks with safety filters, AI models are still susceptible to them, according to Bargury.

He says in specific, there’s a need for more tools that scan for what he and other researchers call “promptware,” i.e., hidden instructions and untrusted data. “I’m not aware of anything you can use out of the box today [for detection],” Bargury says.

“Microsoft Defender and Purview don’t have those capabilities today,” he adds. “They have some user behavior analytics, which is helpful. If they find the copilot endpoint having multiple conversations, that could be an indication that they’re trying to do prompt injection. But actually, something like this is very surgical, where somebody has a payload, they send you the payload, and [the defenses] aren’t going to spot it.”

Bargury says he regularly communicates with Microsoft’s red team and notes they are aware of his presentations at Black Hat. Further, he believes Microsoft has moved aggressively to address the risks associated with AI in general and its own Copilot specifically.

“They are working really hard,” he says. “I can tell you that in this research, we have found 10 different security mechanisms that Microsoft’s put in place inside of Microsoft Copilot. These are mechanisms that scan everything that goes into Copilot, everything that goes out of Copilot, and a lot of steps in the middle.”



Editorial Team

Editorial Team

Related Posts

The Best Books, Movies, Video Games, and Podcasts to Check Out After Watching 'Adventure Time'
Protection

The Best Books, Movies, Video Games, and Podcasts to Check Out After Watching ‘Adventure Time’

July 6, 2026
The TCL Nxtvision Picture Frame TV Is Nearly $600 Off Right Now
Protection

The TCL Nxtvision Picture Frame TV Is Nearly $600 Off Right Now

July 6, 2026
Which Is the Better Watch Display: MIP vs. AMOLED
Protection

Which Is the Better Watch Display: MIP vs. AMOLED

July 6, 2026
Amazon Prime Members Can Get Two of These Free E-Books in July 2026
Protection

Amazon Prime Members Can Get Two of These Free E-Books in July 2026

July 6, 2026
Hacks Every Garmin Forerunner 970 User Should Know
Protection

Hacks Every Garmin Forerunner 970 User Should Know

July 6, 2026
This Three-in-One Anker Charger Is $50 Off Right Now
Protection

This Three-in-One Anker Charger Is $50 Off Right Now

July 6, 2026
Load More
Next Post
Equities Rebound Loses Steam as Yen Rises Again: Markets Wrap

Equities Rebound Loses Steam as Yen Rises Again: Markets Wrap

Popular News

  • Where to get high yield on stablecoins in 2025: Top 5 projects

    Where to get high yield on stablecoins in 2025: Top 5 projects

    0 shares
    Share 0 Tweet 0
  • The 10 best banks for college students in 2025

    0 shares
    Share 0 Tweet 0
  • The Early Retirement Golden Girl

    0 shares
    Share 0 Tweet 0
  • India’s stellar growth, low inflation raise questions over rate cuts

    0 shares
    Share 0 Tweet 0
  • Trump announces 10% tariff on Denmark and key European allies over Greenland dispute

    0 shares
    Share 0 Tweet 0

Latest News

Walmart rolls back barbecue staple prices after Trump says retailer acted at his request

Walmart rolls back barbecue staple prices after Trump says retailer acted at his request

July 7, 2026
0

Walmart rolls back barbecue staple prices after Trump says retailer acted at his request

Binance

BNB Chain Gas-Free Stablecoin Transfers Target Crypto’s Everyday Payment Problem

July 7, 2026
0

Trusted Editorial content, reviewed by leading industry experts and seasoned editors. Ad Disclosure BNB Chain is working with stablecoin issuers...

German industrial output rises more than expected in May

German industrial output rises more than expected in May

July 7, 2026
0

German industrial output rises more than expected in May

Cointelegraph

Trader Loses $2 Million From Malicious DEX incident

July 7, 2026
0

A trader who swapped $2.01 million worth of Ether on a decentralized exchange has been left with just $14,500 worth...

Global Finances Daily

Welcome to Global Finances Daily, your go-to source for all things finance. Our mission is to provide our readers with valuable information and insights to help them achieve their financial goals and secure their financial future.

Subscribe

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Use
  • Editorial Process

© 2025 All Rights Reserved - Global Finances Daily.

No Result
View All Result
  • Alternative Investments
  • Crypto
  • Financial Markets
  • Investments
  • Lifestyle
  • Protection
  • Retirement
  • Savings
  • Work & Careers

© 2025 All Rights Reserved - Global Finances Daily.

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In
This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy and Cookie Policy.