Links and materials for Hacking Your Enterprise Copilot: A Direct Guide to Indirect Prompt Injections

This is a post with all of the links and additional materials for a talk at OWASP Global Appsec EU 2025 titled Hacking Your Enterprise Copilot: A Direct Gudie to Indirect Prompt Injections where we took a deep dive and demonstrated hands on how to hack Enterprise Copilots and craft indirect prompt injections.

Resources:

• Deck: Available here

• Talk: Living off Microsoft Copilot at BHUSA 2025

• Demo: Hijacking Microsoft Copilot for Financial Transaction Manipulation

• Demo: Hijacking Microsoft Copilot for Phishing

• Blog: A Look Inside Microsoft Copilot’s RAG System

• Blog: Stealing Copilot's System Prompt

• Blog: RAG Poisoning: All You Need is One Document

• Blog: Indirect Prompt Injection: Advanced Manipulation Technique

• Link: The GenAI Attack Matrix

• Link: OWASP Agentic Threats and Mitigations Guide

Talk Abstract:

Enterprise copilots, from Microsoft Copilot to Salesforce’s Einstein, are adopted by every major enterprise. Grounded into your personal enterprise data they offer major productivity gains. But what happens when they get compromised? And how exactly can that happen?

In this talk we will see how we can turn these trusted enterprise AI assistants into our own malicious insiders within the victim organization. Spreading misinformation, tricking innocent employees into making fatal mistakes, routing users to our phishing sites, and even directly exfiltrating sensitive data!

We’ll go through the process of building these attack techniques from scratch, presenting a mental framework for how to hack any enterprise copilot, no prior experience needed. Starting from system prompt extraction techniques to crafting reliable and robust indirect prompt injections (IPIs) using our extracted system prompt. Showing a step by step process of how we arrived at each of the results we’ve mentioned above, and how you can replicate them to any enterprise copilot of your choosing.

To demonstrate the efficacy of our methods, we will use Microsoft Copilot as our guinea pig for the session, seeing how our newly found techniques manage to circumvent Microsoft’s responsible AI security layer.

Join us to explore the unique attack surface of enterprise copilots, and learn how to harden your own enterprise copilot to protect against the vulnerabilities we were able to discover.