OWASP 2025 Global AppSec EU

Enterprise copilots, from Microsoft Copilot to Salesforce’s Einstein, are adopted by every major enterprise. Grounded into your personal enterprise data they offer major productivity gains. But what happens when they get compromised? And how exactly can that happen?

In this talk we will see how we can turn these trusted enterprise AI assistants into our own malicious insiders within the victim organization. Spreading misinformation, tricking innocent employees into making fatal mistakes, routing users to our phishing sites, and even directly exfiltrating sensitive data!

We’ll go through the process of building these attack techniques from scratch, presenting a mental framework for how to hack any enterprise copilot, no prior experience needed. Starting from system prompt extraction techniques to crafting reliable and robust indirect prompt injections (IPIs) using our extracted system prompt. Showing a step by step process of how we arrived at each of the results we’ve mentioned above, and how you can replicate them to any enterprise copilot of your choosing.

To demonstrate the efficacy of our methods, we will use Microsoft Copilot as our guinea pig for the session, seeing how our newly found techniques manage to circumvent Microsoft’s responsible AI security layer.

Join us to explore the unique attack surface of enterprise copilots, and learn how to harden your own enterprise copilot to protect against the vulnerabilities we were able to discover.