1. Introduction of the Zero-Click AI Vulnerability
- Shockingly Real Threat: It’s not science fiction but a real-world security incident. Microsoft Copilot faced the world’s first zero-click AI vulnerability, which can steal corporate data without users’ awareness, even through an ordinary email.
- How It Works: An attacker sends a seemingly normal office email (without links or attachments) that contains special prompt words. When an employee uses an AI tool (like Microsoft Copilot) to process this email, the tool can be triggered to execute malicious instructions secretly. For example, it can steal sensitive data such as financial reports, employee information, and business secrets.
2. Severity of the Vulnerability
- High-Risk Rating: Evaluated by the vulnerability scoring system, this vulnerability scores 9.3 out of 10, which is in the severe category.
- Zero-Click and Covert: Different from traditional cybersecurity threats that usually require users to take actions like clicking malicious links or running downloaded files, this zero-click vulnerability is more concealed and dangerous. Just processing a normal-looking email with Microsoft Copilot at a certain time may trigger the hidden malicious instructions.
3. Working Principle of the Vulnerability
- Upgrade of Prompt Injection Attack: Attackers send emails disguised as daily business content (such as human resources policies, financial reports, or employee training materials). These emails contain special prompt words. When employees use Microsoft Copilot to perform tasks like summarizing financial data, the tool automatically retrieves relevant documents and triggers the hidden malicious instructions. It is essentially an upgraded form of prompt word injection attack.
- Bypassing Security Defenses: This vulnerability successfully bypasses four security defenses. It avoids AI prompt injection attack recognition, link review mechanisms, and content security policies and can even use the browser’s automatic image-loading feature to leak data. Hackers can disguise URLs containing sensitive information as image links, and the browser will load these fake images automatically, sending data to the hackers’ servers.
4. Significance and the Need for New Strategies
- A New Category of Security Danger: This zero-click AI vulnerability represents a new type of security threat. External unverified content can gain control of the AI system without explicit user authorization and access and process internal sensitive data. Any intelligent agent based on RAG content that mixes insecure content with internal data may face similar attacks, indicating the failure of traditional security defenses.
- New Approaches for Protection: As AI technology develops, cybersecurity has entered a new stage, and traditional methods like firewalls and antivirus software are no longer sufficient. Intelligent and automated means are needed to combat these new threats. For example, some companies like “Three Zero” have invested heavily in developing security-oriented large models and intelligent agent frameworks. Their large-model security products specifically address the danger of large-model prompt injection attacks, and security intelligent agents can automatically detect and handle threats in real time, saving manpower costs.
5. Call for Discussion
The author poses a question to the readers, asking whether their organizations are prepared for AI-era network attacks and which tools and technologies they would choose to protect their data security, inviting comments.