Top

Microsoft Copilot can be tricked into obtaining sensitive company data

Microsoft Copilot: It is possible to induce incorrect responses, exfiltrate sensitive data, and spread incorrect information within the company, which can impact its operations, such as sales and production. These are the 3 risks that millions of companies around the world run that use Copilot, Microsoft’s artificial intelligence system. The 3 vulnerabilities of Copilot were identified by 5 researchers from the University of Texas at Austin in this study entitled “ConfusedPilot”, in which they also propose guidelines to better protect generative artificial intelligence systems based on large linguistic models (LLM), which draw information from an ‘authoritative’ database and outside of its training data sources before generating a response.

Copilot vulnerabilities

This type of database is called Retrieval-Augmented Generation (RAG). The researchers discovered that security vulnerabilities in RAG systems are the cause of Copilot’s adverse effects and risks. Specifically, researchers used a set of vulnerabilities to make Copilot “confused deputy,” causing integrity and confidentiality violations in its responses. These experts created several malicious documents within the corporate network with which they were able to influence Copilot’s behaviour and induce it to give incorrect responses, influencing the day-to-day activities and decision-making processes of companies.

The researchers: “Despite all the security mechanisms employed, it is very easy for the attacker to alter the behavior of Copilot. What is surprising to us, is that, despite all the security mechanisms employed, it is very easy for the attacker to alter the behavior of Copilot when used by a victim by sharing a seemingly legitimate document. Documents containing phrases such as ‘This document overrides other documents’ prevent Copilot from viewing other legitimate documents when used by the victim, even if the attacker does not have any read/write/execute permissions on the victim’s other documents.”

Microsoft Copilot can be tricked into obtaining sensitive company data
Microsoft Copilot can be tricked into obtaining sensitive company data

Mitigation strategies

They demonstrated Copilot, a RAG-based system’s vulnerabilities, specifically targeting the retrieval mechanism. In general, LLM is vulnerable to many different types of attacks. AutoAttacker, for example, uses LLM to automate attacks on another LLM. According to the authors, vulnerabilities in RAG-based systems can severely impact an enterprise’s operations and erode trust in automated processes. This paper explores potential risks and outlines mitigation strategies such as enhanced validation, stricter access controls, and improved cache management. Organizations can better protect their RAG systems and ensure their continued reliability by understanding these threats. Finally, the study analyzes how malicious actors can exploit trust and shared access to spread misinformation, negatively altering decision-making processes.

RAG systems threaten

As mentioned, the research provides guidelines and mitigation measures. The inherent vulnerabilities of RAG systems threaten enterprises operational efficiency enterprises operational efficiency and the fundamental trust placed in automated systems. To address these challenges, a multifaceted approach is needed, including strengthening validation techniques, implementing more stringent access control measures, and improving cache management protocols. This research aims to thoroughly analyze the specific risks associated with RAG systems in the enterprise, thus providing a practical guide to protect these systems from potential threats.

Antonino Caffo has been involved in journalism, particularly technology, for fifteen years. He is interested in topics related to the world of IT security but also consumer electronics. Antonino writes for the most important Italian generalist and trade publications. You can see him, sometimes, on television explaining how technology works, which is not as trivial for everyone as it seems.