📧 Email and Productivity Copilot Security: Defending Against Indirect Injection Through Mail and Documents
Who this is for: Teams deploying email and productivity copilots — Microsoft 365 Copilot and Google Workspace/Gmail assistants, mail helpers, copilots that read a user's inbox, files, and calendar.
An email copilot differs from a chatbot in one property that overturns the threat model: it ingests content the attacker can supply on its own — your mailbox, shared files, calendar invites — and at the same time it can take actions: send mail, share files, create rules, schedule meetings. That is why the primary risk here is not direct injection from the user, but indirect injection arriving by mail: the attacker sends an email with a payload, the copilot reads it while answering an unrelated request, and executes the embedded instruction — without a single user click. The real-world precedent is EchoLeak (CVE-2025-32711, CVSS 9.3): the first zero-click exploit against an AI agent, in which an email forced Microsoft 365 Copilot to exfiltrate an organization's private data. When the goal is Copilot security and email-copilot defense, what you protect is the inbound channel (mail, documents, invites) and the copilot's outbound actions.
SYNTREX (the Spectorn defense layer) inspects the content the copilot ingests from mail and files for embedded instructions and exfiltration channels, governs outbound actions (send, share, rules), masks data leakage, and maintains an immutable decision log. SYNTREX runs as part of the Spectorn platform and also deploys standalone inside the customer's internal perimeter.
This page breaks down email-copilot risks in terms of the OWASP Top 10 for LLM Applications (2025) and MITRE ATLAS techniques — and shows which SYNTREX engines cover each vector.
🛑 Key Risks and How SYNTREX Closes Them
1. Indirect Injection Through Incoming Mail and Documents (Indirect Prompt Injection)
Risk: The attacker sends an email with a payload (or shares a document); the copilot reads it while answering an unrelated user request and follows the embedded instruction — with no user interaction ("the user does not need to open or click the malicious email"). This is the headline risk of email copilots and the delivery mechanism underlying EchoLeak: the malicious instruction arrives from a source the copilot trusts by default.
OWASP LLM01:2025 Prompt Injection, LLM06:2025 Excessive Agency · MITRE ATLAS AML.T0051 (LLM Prompt Injection, indirect path).
SYNTREX defense:
- Engines:
injection,dormant_payload,output_scanner. injectioninspects the email body and document content as untrusted input — embedded instructions and hidden/invisible characters are rejected before the copilot starts acting on them.dormant_payloaddetects delayed payloads designed to trigger on later processing;output_scannerintercepts the copilot's attempt to execute an embedded command.
2. Data Exfiltration Through the Copilot: EchoLeak and ASCII Smuggling (Data Exfiltration)
Risk: EchoLeak (CVE-2025-32711, fixed by Microsoft server-side) — the first zero-click exploit against an AI agent: a crafted email triggers an "LLM Scope Violation" in which untrusted external input forces Copilot to surface an organization's privileged data and leak it through an auto-loaded markdown image or link, bypassing classifiers and link redaction. A related technique is ASCII smuggling: invisible Unicode tags hide exfiltrated data inside an innocuous-looking hyperlink.
OWASP LLM02:2025 Sensitive Information Disclosure, LLM01:2025 Prompt Injection, LLM05:2025 Improper Output Handling · MITRE ATLAS AML.T0024 (Exfiltration via AI Inference API), AML.T0051 (LLM Prompt Injection — the trigger).
SYNTREX defense:
- Engines:
output_scanner,exfiltration,secret_scanner. output_scannerinspects the copilot's outgoing response for exfiltration channels — auto-loaded images, suspicious links, hidden ASCII-smuggling Unicode tags — and blocks them before delivery.exfiltrationcatches the "private data → external channel" pattern itself;secret_scanner(a non-disableable invariant) prevents secrets from leaving inside a link or attachment.
3. Abuse of Auto-Actions and Excessive Agency (Excessive Agency)
Risk: Embedded instructions force the copilot to use connected tools — send an email, forward a thread, share files, create a rule, schedule a meeting — turning excessive agency into attacker-controlled actions and lateral movement. The copilot acts on the user's behalf, so the email it sends looks legitimate.
OWASP LLM06:2025 Excessive Agency, LLM01:2025 Prompt Injection · MITRE ATLAS AML.T0051 (LLM Prompt Injection), AML.T0048 (External Harms).
SYNTREX defense:
- Engines:
goal_predictability,tool_abuse,capability_flow. goal_predictabilityis a behavioral heuristic engine: it flags multi-step goal-hijack patterns in the copilot's reasoning/commands (e.g. read-secret-then-send, recon-then-exploit); such a pattern is flagged before execution.tool_abusedetects a dangerous connected-tool call;capability_flowgoverns the flow of capabilities, preventing an embedded instruction from linking "reading an email" to "sending data out."
What SYNTREX honestly does NOT replace: least privilege for connected tools and human-in-the-loop for state-changing actions. Critical operations (mass mailing, external sharing) must require human confirmation at the copilot level itself. SYNTREX blocks the anomalous action, but it does not replace narrow tool scopes and user confirmation.
4. System-Prompt and Cross-User Data Leakage (System Prompt / Cross-User Leakage)
Risk: Crafted prompts coax the copilot's hidden system prompt/configuration out of it (which eases follow-on attacks) or surface another user's/tenant's data through a shared backend context. The canonical precedent of cross-workspace exfiltration is indirect injection in Slack AI (the ATLAS AML.CS0035 case).
OWASP LLM07:2025 System Prompt Leakage, LLM02:2025 Sensitive Information Disclosure · MITRE ATLAS AML.T0051 (LLM Prompt Injection), AML.T0024 (Exfiltration via AI Inference API).
SYNTREX defense:
- Engines:
output_scanner,injection,intent_revelation. injectiondetects attempts to coax out the system prompt;output_scannerinspects the response for prompt fragments and internal configuration and blocks them.intent_revelationflags requests whose real purpose is to disclose internal instructions or data beyond the current user.
5. Malicious Calendar Invites and Attachments as Injection Carriers (Injection Carriers)
Risk: The payload rides in the body of a meeting invite, in an .ics description, in an attached document, or in file metadata — content the copilot ingests when it summarizes "my day" or "this attachment." The mechanism is the same as in an email (risk #1), but the carrier is different — and it is precisely the calendar/attachments that are often overlooked compared to the email body.
OWASP LLM01:2025 Prompt Injection, LLM06:2025 Excessive Agency · MITRE ATLAS AML.T0051 (LLM Prompt Injection, indirect path).
SYNTREX defense:
- Engines:
injection,dormant_payload,output_scanner. injectioninspects invite bodies,.icsdescriptions, attachment contents, and file metadata as untrusted input — on par with the email body.dormant_payloaddetects payloads designed to trigger on summarization;output_scannerintercepts the attempt to act on an embedded instruction.
6. Retrieval of Over-Accessible Data Inside the Copilot (Over-Permissioned Retrieval)
Risk: Because the copilot inherits the user's (often too broad) tenant rights and applies no judgment, a "summarize the salary spreadsheet" request surfaces files the user can technically open but was never meant to see. This is the "over-sharing" familiar from RAG deployments, in the guise of a copilot.
OWASP LLM02:2025 Sensitive Information Disclosure, LLM08:2025 Vector and Embedding Weaknesses · MITRE ATLAS AML.T0024 (Exfiltration via AI Inference API).
SYNTREX defense:
- Engines/components:
pii,exfiltration, Decision Logger. piimasks sensitive fields in surfaced documents;exfiltrationflags the anomalous retrieval volume characteristic of "scooping" beyond one's role.- The Decision Logger records which files were surfaced in response to a query — the basis for investigating unauthorized access.
Responsibility boundary: eliminating over-sharing at the source (sensitivity labels, a rights review before deploying the copilot) is the job of your collaboration platform. SYNTREX masks leakage and provides audit, but it does not replace cleaning up access rights. The retrieval architecture is dissected by stage in RAG Application Security as a Surface.
🛠️ Recommended Configuration
A profile for an email/productivity copilot — inspecting ingested content, controlling auto-actions, and blocking exfiltration channels:
# syntrex.yaml — email/productivity copilot profile
version: "1.0"
mode: email_copilot
engines:
injection:
action: block # email body, documents, invites, .ics, metadata
inspect_retrieved_content: true
normalize_unicode: true # hidden instructions and ASCII smuggling
confidence_threshold: 0.80
dormant_payload:
action: flag # payloads that trigger on summarization
output_scanner:
action: block # auto-images, links, Unicode tags, prompt fragments
inspect_links: true
detect_unicode_smuggling: true
exfiltration:
action: block # private data → external channel (EchoLeak pattern)
confidence_threshold: 0.90
secret_scanner: always_on # secrets do not leave in a link/attachment
goal_predictability:
action: block # behavioral heuristic: multi-step attack-chains / goal hijack
tool_abuse:
action: block # dangerous connected-tool call
capability_flow:
action: block # "read an email" → "send out" linkage
intent_revelation:
action: flag
pii:
action: redact
mask_character: "*"
audit:
decision_logger: true # immutable decision chain (SHA-256/HMAC)
🚨 Correlation Rules (SOC)
The chains "injection in mail → exfiltration" and "injection → auto-action" are the key indicators of copilot compromise:
{
"name": "COPILOT_ECHOLEAK_EXFIL_CHAIN",
"description": "Injection in an incoming email/document, followed by private-data exfiltration via a link/image",
"condition": "sequence(injection[source='retrieved_content', confidence>0.7], output_scanner[match=true] OR exfiltration[confidence>0.8], 15s)",
"severity": "CRITICAL",
"playbook": "block_egress_and_alert_soc"
}
{
"name": "COPILOT_INJECTION_TO_AUTOACTION",
"description": "Injection in ingested content, followed by a copilot auto-action (send, share, rule)",
"condition": "sequence(injection[source='retrieved_content', confidence>0.7], goal_predictability[violation=true] OR tool_abuse[match=true], 20s)",
"severity": "CRITICAL",
"playbook": "block_action_and_require_human_approval"
}
❓ Frequently Asked Questions (FAQ)
Why is indirect injection through email the headline risk of an email copilot?
Because the copilot ingests incoming mail on its own while answering an unrelated request, and trusts it by default — all the attacker has to do is send an email; the user does not need to open or click it. This is how EchoLeak worked. SYNTREX inspects the email body and documents as untrusted input with the injection engine with Unicode normalization, while output_scanner and exfiltration intercept the attempt to leak data.
What is EchoLeak (CVE-2025-32711), and does SYNTREX close it?
EchoLeak is the first zero-click exploit against an AI agent: an email triggered a "scope violation," forcing Microsoft 365 Copilot to surface private data and leak it through an auto-loaded image/link. Microsoft fixed the specific vulnerability server-side. SYNTREX closes the class as a whole on the outgoing stream: output_scanner blocks auto-images, suspicious links, and Unicode smuggling, while exfiltration catches the offload pattern itself.
What is ASCII smuggling in the context of a copilot?
It is hiding exfiltrated data inside an innocuous-looking hyperlink using invisible Unicode tags: the user sees an ordinary link, with stolen data concealed within it. SYNTREX inspects the outgoing response with the output_scanner engine with Unicode-smuggling detection and normalizes hidden characters with the injection engine on input.
How do I keep the copilot from sending an email or sharing a file on the attacker's command?
An embedded instruction can force the copilot to use connected tools — sending, sharing, rule creation. SYNTREX heuristically flags multi-step goal-hijack patterns (goal_predictability), catches a dangerous tool call (tool_abuse), and breaks the "read an email → send out" linkage (capability_flow). But critical operations should additionally require human confirmation at the copilot level itself — SYNTREX does not replace that.
Can the copilot show another user's or another tenant's data?
Yes — through coaxing out the system prompt or through a shared backend context (the canonical precedent is indirect injection in Slack AI, the ATLAS AML.CS0035 case). SYNTREX detects attempts to coax out the prompt (injection), blocks its fragments in the response (output_scanner), and flags requests beyond the current user (intent_revelation).
Are calendar invites and attachments as dangerous as emails?
Yes, and they are often overlooked: the payload rides in the invite body, the .ics description, an attached document, or file metadata — the copilot ingests them when summarizing "my day" or "this attachment." SYNTREX inspects these carriers with the injection engine on par with the email body, while dormant_payload detects payloads designed to trigger on summarization.
What does SYNTREX NOT replace in an email copilot? Least privilege for connected tools, human-in-the-loop for state-changing actions, and the elimination of over-sharing at the source (sensitivity labels, a rights review before deployment). SYNTREX inspects ingested content, blocks exfiltration channels and anomalous actions, and provides audit — but narrow tool scopes, user confirmation, and cleaning up access rights remain on the platform side. The retrieval architecture is dissected by stage in RAG Application Security as a Surface.
📚 References
- OWASP Top 10 for LLM Applications (2025) — LLM01 Prompt Injection, LLM02 Sensitive Information Disclosure, LLM05 Improper Output Handling, LLM06 Excessive Agency, LLM07 System Prompt Leakage, LLM08 Vector and Embedding Weaknesses.
- MITRE ATLAS — AML.T0051 (LLM Prompt Injection), AML.T0024 (Exfiltration via AI Inference API), AML.T0048 (External Harms), case AML.CS0035 (Data Exfiltration from Slack AI via Indirect Prompt Injection).
- EchoLeak (CVE-2025-32711) — Microsoft MSRC advisory — zero-click data leakage through Microsoft 365 Copilot (primary source).
- Inside CVE-2025-32711 (EchoLeak): Prompt Injection meets AI Exfiltration (HackTheBox) — technical breakdown of the LLM Scope Violation (citation).
- Microsoft Copilot: from Prompt Injection to Exfiltration via ASCII Smuggling (Embrace The Red) — hiding data in Unicode tags (citation).
- Data Exfiltration from Slack AI via Indirect Prompt Injection (ATLAS AML.CS0035) — cross-workspace exfiltration (citation).
- NIST AI Risk Management Framework (AI RMF 1.0) — risk management for productivity copilots.
Related material: OWASP Top 10 for LLM (2025) · RAG Application Security as a Surface · Autonomous AI Agent Security · MCP Server Security.