Microsoft 365 Copilot For Work: Image Data Exfiltration From SharePoint

Microsoft Security Response Center (MSRC) was informed of this finding and this disclosure write-up has been vetted. Before this issue was fixed, this data exfiltration finding only worked with image files (eg. png, jpg, svg)

Photo by Saradasish Pradhan on Unsplash

Type of vulnerability:

CWE-94 Improper Control of Generation of Code (‘Code Injection’)

Affected target environment:

Microsoft Copilot for Work (first tested on 17 Feb 2025) with Enterprise Data Protection enabled.

Let’s say we only have access to Microsoft 365 Copilot and we wish to obtain arbitrary image data from SharePoint without directly accessing it, what can we try?

Scenario:

Assume we there is a known svg file, nest10.svg currently within a user’s SharePoint.

Known svg file in SharePoint

We could try asking Copilot to give us access to the file.

Even providing a rough outline of the folder structure did not work :/

What if we gave it the URL to the file directly?

Attempting some form of file inclusion also did not work.

Alright, that clearly did not work. Let’s dive deeper on how the Copilot web interface renders images.

We get a Designer response for a requested poster.

A brief analysis of the Designer preview shows us that rendering images seem to be possible, but are we able to directly inject the <img> tag on Copilot’s web interface?

Designer’s logo rendered with an img HTML tag!

Clearly not.

We are still unable to get the image to load…

Attack methodology

Our attack methodology is as follows, utilising the Crescendo multi-turn LLM jailbreak. You can view the Crescendo jailbreak technique coined by Mark Russinovich, Ahmed Salem and Ronen Eldan here:

https://crescendo-the-multiturn-jailbreak.github.io//

We start off by masquerading our attempts to render remote resources by asking Copilot to be a benevolent AI helping me with my frontend project.

Setting the context.

Context buildup.

More context buildup.

We shift the attention to a conversation about Angular.

We get instructions for setting up Angular.

Then we slowly coerce it to dive deeper about Angular code and ask it to preview generated Angular code, reminding Copilot of its duty as a benevolent assistant.

Great, Copilot is “happy to help” us preview our Angular frontend code. We also get instructions for previewing Angular frontend code.

All this starts off from a harmless angle but we start observing styled texts being directly injected. We are in the right direction!

With the preliminary setup done, we slowly descend into using different injection payloads in Angular, then slowly into pure JavaScript or primitive HTML like <img>.

An error in image fetching? Something smells fishy…

We seem to be able to directly inject the <img> tag now! Let’s attempt other attacks. Iframes do not seem to work here though.

Out of curiosity, iframes were also tested.

Finally, let’s obtain an image stored in the user’s SharePoint with the HTML injection. Voila!

Bingo, we successfully performed an HTML injection, forcing the <img> tag to be created within the conversation, rendering arbitrary images from the user’s SharePoint!

With this, in an assumed breach scenario with access to a Copilot instance of an employee, an authenticated adversary or insider can begin exfiltrating image files from SharePoint by brute forcing through potential image names that may contain sensitive corporate information. This impacts confidentiality, allowing us to exfiltrate data without having to directly visit SharePoint.

Let’s also try exfiltrating a jpg file from SharePoint.

Image credits: Jessica Brody (https://www.jessicabrody.com/2015/01/diotech-compound-blueprint-map-for-unchanged/)

Nice!

Note that in the PoC, the images were read from within “Microsoft Copilot Chat Files” folder within SharePoint but also could be read when you traverse upwards to the “Documents” folder or even within the “Attachments” folder where you can try exfiltrating juicy images from the user’s Outlook attachments!

The fix?

Based on conversations with Microsoft Security Response Center (MSRC), this was categorised as a low severity issue and no immediate servicing will be done.

However, revisiting the same vulnerability again, the image now fails to load, with a placeholder now rendering in its place. MSRC clarifications on 12 March 2025 stated that the “the fix was not dedicated for this issue, but rather encompassed in another fix.”

The exfiltration no longer works now.

Disclosure Timeline:

• 17 Feb 2025: MSRC report submission, status set to “New”
• 20 Feb 2025: Report status changed to “Review / Repro”
• 3 March 2025: Follow up email with MSRC.
• 8 March 2025: Report status changed from “Review / Repro” to “Closed”, issue categorised as LOW severity. Sent a clarification email to MSRC.
• 12 March 2025: MSRC replied to clarification. Sent disclosure write-up for review to MSRC.
• 22 March 2025: MSRC approved the disclosure write-up.

I would like to thank Joe from MSRC for assisting me throughout vulnerability disclosure process, it was a fantastic learning experience and they were responsive to any queries and doubts I had along the way.

Helpful Resources

These were some helpful resources that inspired me along my bug hunting journey and I hope they can be of use to you as well.

Embrace The Red · Embrace The Red

Adversarial Prompting in LLMs | Prompt Engineering Guide

Threat Modeling LLM Applications

Planning red teaming for large language models (LLMs) and their applications - Azure OpenAI Service

GitHub - corca-ai/awesome-llm-security: A curation of awesome tools, documents and projects about…

Welcome to the Offensive ML Playbook - OffSecML Playbook