Microsoft Fixes ASCII Smuggling Flaw in 365 Copilot

Microsoft has patched a critical vulnerability in 365 Copilot that enabled data theft through a technique called ASCII Smuggling. This method used special Unicode characters to conceal malicious content, allowing attackers to exfiltrate sensitive information, including MFA codes, by embedding invisible data within hyperlinks. The flaw was part of a larger exploit chain involving prompt injection and retrieval-augmented generation (RAG) poisoning. Microsoft addressed the issue after its disclosure in January 2024.

Read more about this vulnerability on the original article from The Hacker News here.