Hacking Your Enterprise Copilot: A Direct Guide to Indirect Prompt Injections
In this talk we will see how we can turn these trusted enterprise AI assistants into our own malicious insiders within the victim organization. Spreading misinformation, tricking innocent employees into making fatal mistakes, routing users to our phishing sites, and even directly exfiltrating sensitive data!
We’ll go through the process of building these attack techniques from scratch, presenting a mental framework for how to hack any enterprise copilot, no prior experience needed. Starting from system prompt extraction techniques to crafting reliable and robust indirect prompt injections (IPIs) using our extracted system prompt. Showing a step by step process of how we arrived at each of the results we’ve mentioned above, and how you can replicate them to any enterprise copilot of your choosing.
To demonstrate the efficacy of our methods, we will use Microsoft Copilot as our guinea pig for the session, seeing how our newly found techniques manage to circumvent Microsoft’s responsible AI security layer.
Join us to explore the unique attack surface of enterprise copilots, and learn how to harden your own enterprise copilot to protect against the vulnerabilities we were able to discover.
Speaker
-
Tamir Ishay Sharbat
AI Security Researcher @ Zenity
Tamir Ishay Sharbat is a software engineer and security researcher with a particular passion for AI security. His current focus is on identifying vulnerabilities in enterprise AI products such as Microsoft Copilot, Microsoft Copilot Studio, Salesforce Einstein and more. Tamir conducts deep analysis of AI architectures to identify potential exploits, then crafts prompt injections and elaborate attacks accordingly. Finally, he takes an active part in implementing effective security measures to pro... read more