β Scenario library
Zero-Click Leak by Picture
An inbox summary quietly ships a secret to an attacker's server
Technique first revealed 29 Mar 2023
Tool-Using Agent
InstructionsDataActionsControl / decisionFeedback / logs
π Click a component to inspectSetupStep 1 / 6
The assistant can read your mail
A company gives every employee an AI assistant that can read their email and documents so it can help draft replies and answer questions. That access is the whole point β and also the prize an attacker wants to reach.
βοΈAgent permission scopesconfig
agent_identity: copilot-user-delegate scopes: - mail.read # full inbox, incl. attacker-sent mail - files.read # docs, incl. secrets in context - chat.compose # may emit markdown to the client UI output_render: markdown: enabled images: AUTO-FETCH # <-- the channel that matters link_allowlist: (none)
β / β keys