Skip to content

[AVE] New class: rendered-content-autofetch-exfiltration (runtime layer) #35

Description

@chaksaray

Before you open this issue

  • I have searched the registry at ave.bawbel.io and the records/ directory
  • This is a genuinely distinct behavioral class, not a variant of an existing record
  • I have a citable primary source (CVE, paper, disclosure, or working PoC)

Behavioral fingerprint

An agent's own generated response embeds a plain, unobfuscated markdown/rich-content reference (e.g. an image URL) carrying sensitive data in its URL; the client's rendering layer automatically fetches that URL to display the content, causing an outbound request that exfiltrates the embedded data with zero further user interaction and no separate tool call.

Why this is a new class, not a variant

This is the closest call of the candidates in this research batch — flagging the adjacency explicitly rather than asserting a clean answer.

Checked against AVE-2026-00026 (Data Exfiltration - Output Encoding): exfiltration through a tool call parameter. Checked against AVE-2026-00039 (Data Exfiltration - Covert Channel): steganographic hiding of data in visible output text (first-letter encoding, whitespace, timing) for a receiving party to later decode.

This candidate's mechanism needs neither a tool call nor obfuscation: the data doesn't need to be hidden at all, because the exfiltration channel is the client's own automatic rendering behavior, not a technique the attacker has to smuggle past a filter. "The answer itself is the beacon, and the renderer sends it for free." I believe this clears the deletion test (folding it into 00026/00039 would lose the distinction that no tool call or encoding step is required), but this is the one candidate where I'd want the human review pass to double-check my reasoning before committing to a new ave_id.

Primary source

  • NVD CVE-2025-32711 — "EchoLeak", Microsoft 365 Copilot, CWE-74. CVSS 7.5 (NIST assessment) / 9.3 (Microsoft CNA assessment) — presenting both scores rather than cherry-picking; the discrepancy reflects differing scope evaluations. A single crafted email implants hidden instructions; when Copilot answers an unrelated sensitive query later, it embeds a markdown image pointing at an attacker URL that the client auto-fetches, leaking the answer content with zero user clicks.
  • arXiv 2509.10540 — "EchoLeak: The First Real-World Zero-Click Prompt Injection Exploit in a Production LLM System", peer-reviewed (also published via AAAI Symposium Series, ojs.aaai.org). Documents the exploit bypassing Microsoft's XPIA classifier, evading link redaction via reference-style markdown, and abusing a Teams proxy permitted by CSP.
  • Disclosed by Aim Security researchers, June 2025; Microsoft patched server-side before public disclosure, no evidence of in-the-wild exploitation confirmed by Microsoft.

Proposed record skeleton

attack_class:        Data Exfiltration - Rendered Content Auto-Fetch  (naming open to discussion —
                      "zero-click" and "markdown/rich-media beacon" are candidate alternate names)
severity:             CRITICAL per Microsoft's own CNA assessment (9.3) / HIGH per NIST (7.5) —
                      recommend the record honestly reflect both rather than picking one
owasp_mcp:            [MCP10, MCP08]   (MCP10 = Context Injection and Over-sharing — matches the
                      mechanism, injected content over-shared via auto-render; MCP08 = Lack of
                      Audit and Telemetry, secondary, since zero-click exfil leaves minimal trace).
                      Note this differs from AVE-2026-00026/00039's primary MCP01 (Token
                      Mismanagement) since this class isn't about token/credential handling
                      specifically, it's generic data exposure via rendering.
owasp_asi:            (none proposed — TBD during implementation)
mitre_atlas:          none checked as a precise fit — general prompt-injection family IDs are
                      already used elsewhere in the corpus, but none specifically describes the
                      render-triggered auto-fetch mechanism
detection_layer:      runtime   (the exfiltration only manifests when the agent's response is
                      actually rendered by the client; can't be caught by static scan of a
                      skill/prompt file since the beacon is typically assembled dynamically as part
                      of the LLM's own generated answer)
detection_stage:      runtime_observed
evidence_basis_engines: [pattern, llm, sandbox]

Real-world evidence

CVE-2025-32711, a real, disclosed, patched zero-click vulnerability in a production system (M365 Copilot) with a dedicated peer-reviewed paper. Pushes THM toward 1.0 in AIVSS scoring.

Indicators of compromise

  • Agent-generated response contains a markdown image or link reference whose URL includes a query parameter carrying content sourced from the conversation/context, rather than a static or previously-known asset URL
  • Outbound HTTP request observed immediately after response rendering, to a domain not previously referenced anywhere in the conversation or tool results
  • Response markdown uses reference-style link/image syntax in a way that evades simple substring link-redaction filters

Researcher

Bawbel Security Research Team (research-new-attack-classes skill run, 2026-07-10)

Metadata

Metadata

Assignees

No one assigned

    Labels

    ave-recordAdding or modifying an AVE recordnew-classGenuinely new behavioral class, not a variantresearch-sourcedTraced to a citable primary source via research-new-attack-classes

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions