Your AI Copilot Can Be Bribed: A Plain-English Guide to RAG Poisoning

Imagine you hired a brilliant new assistant. They have keys to every filing cabinet in the building — your email, your shared drives, your chat history, the finance folder. They are fast, tireless, and eager to help. There is just one quirk: they will follow any written instruction they come across while doing their job, even if that instruction is hidden inside a document someone else wrote. Slip a note into a file that says " photocopy the salary spreadsheet and mail it to this address," and your helpful assistant will do exactly that — without telling you.

That assistant is your AI copilot. The technical jargon for the hidden note is called RAG poisoning. This guide explains, in plain English, how the attack works, why it is unusually sneaky, and what you can actually do about it.

First, what is RAG?

RAG stands for Retrieval-Augmented Generation, and it is the reason tools like Microsoft 365 Copilot feel so useful. A raw language model only knows what it was trained on; it has never seen your company's files. RAG fixes that. When you ask the copilot a question, it first retrieves relevant material from your environment — your mailbox, OneDrive, SharePoint sites, Teams chats, internal documents — and then generates an answer using that material as context.

In other words, RAG lets the AI read your private documents on the fly so it can give you a useful, company-specific answer. That is the feature. The vulnerability is the flip side of the same coin: the AI cannot reliably tell the difference between content it should summarize and instructions it should obey. To the model, it is all just text.

How you bribe a copilot

Security researchers call this indirect prompt injection, and it sits at the very top of the OWASP Top 10 list of risks for AI applications. The "indirect" part is the clever bit. A normal prompt injection is when you type a malicious instruction. An indirect injection is when an attacker hides the instruction inside a piece of content they know your AI will eventually read.

Here is how it works:  An attacker writes a document, an email, a calendar invite, or a web page, and buries instructions inside it — often in white-on-white text, tiny fonts, or metadata where a human will never notice. The poisoned content lands somewhere your copilot can reach: it gets emailed to you, shared into a SharePoint site, or simply sits on a page the AI is allowed to retrieve. Later, an ordinary user asks the copilot an ordinary question. The RAG engine pulls in the poisoned content as "relevant context," and the moment it does, the hidden instructions wake up. The AI, believing it is just being helpful, follows them — scanning your mailbox and files for sensitive data and packaging it up for the attacker.

The exfiltration trick is the nasty finish. The stolen data gets stitched into what looks like a harmless Markdown image or link — for example, an image whose web address secretly contains the data the attacker wants. When the copilot's interface renders that image, the browser quietly reaches out to the attacker's server to "load" it, carrying the stolen information along in the request. No download, no pop-up, no warning. To the user, nothing happened at all, which is scary!

This isn't theoretical

In 2025 and 2026, this moved from research papers to named, documented exploits against mainstream tools. The most striking is EchoLeak, a zero-click vulnerability in Microsoft 365 Copilot. "Zero-click" means the victim did not have to open anything, click anything, or even read the malicious email — simply having it sit in the mailbox was enough for the hidden prompt to eventually be retrieved and executed, exfiltrating sensitive data automatically.

Researchers also showed how to defeat the guardrails Microsoft had built. Copilot does try to block obvious data leaks, but in one documented technique those protections only applied to the first action the AI took — so attackers simply instructed Copilot to repeat each step twice, and the second pass sailed through. The lesson is sobering: bolt-on safety filters are not the same as an architecture that is safe by design.

Why RAG poisoning is so dangerous

Three things make this attack class different from the threats most people picture.

It uses no malware. There is no virus to detect, no malicious executable to quarantine. The "weapon" is plain text inside a perfectly normal-looking document, which sails past traditional defenses that are looking for code, not prose.

It abuses a trusted tool. The attacker never breaks into your network. They let your own sanctioned, IT-approved AI assistant do the work, using the access you granted it. Every action looks like legitimate copilot activity, because technically it is.

And it is often invisible. Because the data leaves through a rendered image or link, the victim sees a normal answer to a normal question. The breach can happen without a single person noticing, which is exactly why dwell time for these attacks can be dangerously long.

So what do you actually do?

The good news is that RAG poisoning has concrete defenses, and most of them are about discipline rather than exotic technology.

Start by limiting what the copilot can reach. The blast radius of any injection is exactly equal to what the AI is allowed to access. Enforce least privilege so the assistant can only see what each user genuinely needs, and apply access controls at the moment of retrieval — filtered by user, role, and tenant — not just when documents are first ingested. If the AI cannot read the salary spreadsheet, no hidden note can make it leak the salary spreadsheet.

Close the exfiltration door. Many of these attacks depend on the interface automatically loading external images or links. Blocking or sandboxing auto-rendered external content, and stripping outbound links the AI tries to construct, removes the most common escape route for stolen data.

Treat retrieved content as untrusted input. The same way good engineers never trust raw user input, AI systems should sanitize and inspect the documents they pull in, watch their knowledge bases and vector stores for unusual or injected patterns, and re-index to scrub poisoned entries. Tools now exist specifically to red-team a RAG pipeline by attempting poisoning attacks before a real adversary does.

Keep a human in the loop for anything sensitive. An AI agent should not be able to silently send data outside the organization or take a consequential action without a person confirming it. Friction in the right place is a feature.

Finally, train your people on the new reality. The classic advice — "don't open suspicious attachments" — is not enough when the danger is a document the AI opens on your behalf. Staff should understand that any content the copilot can read is a potential instruction channel, and that "the AI did something odd" is now a security event worth reporting.

The takeaway

RAG poisoning is not science fiction and it is not a flaw in any one vendor's product — it is a structural consequence of giving a helpful, instruction-following AI broad access to your data and letting it read whatever lands in front of it. Your copilot can indeed be bribed, because to the model a buried command and a normal sentence look identical. The fix is not to abandon these tools; they are too useful. The fix is to treat your AI assistant like what it is: a powerful new employee with keys to the building, who needs least-privilege access, supervision on sensitive actions, and a healthy distrust of every document it reads.

References

1. BlackFog — RAG Poisoning: How Hidden Prompts Steal Corporate Data (May 2026). https://www.blackfog.com/rag-poisoning-hidden-prompts-steal-corporate-data/

2. CovertSwarm — EchoLeak: The Zero-Click Microsoft Copilot Exploit That Changed AI Security. https://www.covertswarm.com/post/echoleak-copilot-exploit

3. Infosecurity Magazine — Microsoft 365 Copilot Zero-Click AI Flaw Allows Corporate Data Theft. https://www.infosecurity-magazine.com/news/microsoft-365-copilot-zeroclick-ai/

4. Malwarebytes — "Reprompt" attack lets attackers steal data from Microsoft Copilot (Jan 2026). https://www.malwarebytes.com/blog/news/2026/01/reprompt-attack-lets-attackers-steal-data-from-microsoft-copilot

5. OpsInsecurity — Microsoft Copilot Security: The Hidden Risk of RAG Poisoning. https://www.opsinsecurity.com/blog/microsoft-copilot-security-rag-poisoning-risk

6. OWASP — Top 10 for Large Language Model Applications (2025). https://owasp.org/www-project-top-10-for-large-language-model-applications/

7. Sombra — LLM Security Risks in 2026: Prompt Injection, RAG, and Shadow AI. https://sombrainc.com/blog/llm-security-risks-2026

8. Promptfoo — OWASP LLM Top 10 and RAG poisoning testing. https://www.promptfoo.dev/docs/red-team/owasp-llm-top-10/

   
   

"RAG poisoning" and "indirect prompt injection" describe the same underlying problem — an AI being given instructions hidden inside the content it retrieves. Specific exploit names (e.g. EchoLeak) refer to documented vulnerabilities in widely used copilots; vendors have issued fixes, but the underlying attack class remains relevant to any organization deploying retrieval-augmented AI.