Microsoft 365 Copilot Generated Images Accessible Witho
I regularly look at how the system prompts of chatbots change over time. Updates frequently highlight new features being added, design changes that occur and potential areas that might benefit from more security scrutiny.
-A few months back I noticed an interesting update to the M365 Copilot (BizChat) system prompt. In particular, there used to be one enterprise_search tool in the past. You might remember that tool being used during the Copirate ASCII Smuggling exploit and using it to search for MFA codes in the user’s inbox.
+A few months back I noticed an interesting update to the M365 Copilot (BizChat) system prompt. In particular, there used to be one enterprise_search tool in the past. You might remember that tool was used during the Copirate ASCII Smuggling exploit to search for MFA codes in the user’s inbox.
Dumping the System Prompt
Many chatbots have output filters in place that refuse to return the system prompt verbatim. Here is an example on how that might look like:
It’s not visible in the above screenshot, but Copilot actually started printing the system prompt, but at one point it detected that it shouldn’t leak it and refused to continue and afterwards error message was shown instead.
Oops, was this my outer voice!?!
-It’s not uncommon that companies put output filters in place that monitor for certain words or phrases and overwrite responses. This is happening because the responses are streamed, which makes output filtering more challenging, and often visible to the user.
+It’s not uncommon that companies put output filters in place that monitor for certain words or phrases and overwrite responses. This is happening because the responses are streamed, which makes output filtering challenging, and often visible to the user.
Simple Trick to Help With System Prompt Extraction
-Also, one thing I like doing is to give the Chatbot a hint on where to start. It’s usually quite easy to figure out how the system prompt starts, like “You are ChatGPT”, “I am Microsoft 365 Copilot”,… you get the idea. Once we know that we can very easily trigger the system prompt extractions.
-There are usually two tricks I use to bypass that:
+Also, one thing I like doing is to give the chatbot a hint on where to start. It’s usually quite easy to figure out how the system prompt starts, like “You are ChatGPT”, “I am Microsoft 365 Copilot”,… you get the idea. Once we know that, we can easily trigger the system prompt extractions.
+There are usually two tricks I commonly try:
1. Ask the chatbot to return the system prompt in German (rather than English)
This is how it looks in action:
@@ -158,7 +158,7 @@ 2. Ask the chatbot
And funny enough I typically copy/paste the xml output and put it into ChatGPT and ask it to remove the xml tags and convert it into a nicely formatted system prompt. If you are curious how the result from ChatGPT looked like, you can find it here.
In the case of M365 Copilot both continue to work well.
Renamed And New M365 Copilot Tools
-With the update to the system prompt sometime in September quite a few changes were introduced. The interesting part was of the system prompt was that it seems Microsoft created many specific search_enterprise_* tools:
+With the system prompt updates sometime in September, quite a few changes were introduced. The interesting part was that Microsoft created many search_enterprise_* tools:
designer_graphic_artsearch_enterprise_chatRenamed And New M365 Copilot Toolssearch_enterprise_files
search_enterprise_meetings
-Quite interesting how the system prompts are changed ofter time, sometimes quite significantly.
+Quite interesting how the system prompts are changed over time, sometimes quite significantly.
-The one tool that stood out to me was the designer_graphic_art, because so far, the M365 Enterprise Chat experience (BizChat) did not have an image generation capability.
+The tool that stood out to me was designer_graphic_art, because so far, the M365 Enterprise Chat experience (BizChat) did not have image generation capabilities.
Graphic Designer Image Generation
In retrospect it’s unclear when exactly this was introduced. I might have observed it a few days before the official announcement even, but I noticed right away that it seemed to use the Bing “consumer” image generation domain ending in live.com.
It was designerapp.officeapps.live.com.
diff --git a/docs/posts/index.xml b/docs/posts/index.xml
index aa052b6c..1e68d1d4 100644
--- a/docs/posts/index.xml
+++ b/docs/posts/index.xml
@@ -15,7 +15,7 @@
https://embracethered.com/blog/posts/2025/m365-copilot-image-generation-without-authentication/
I regularly look at how the system prompts of chatbots change over time. Updates frequently highlight new features being added, design changes that occur and potential areas that might benefit from more security scrutiny.
-A few months back I noticed an interesting update to the M365 Copilot (BizChat) system prompt. In particular, there used to be one enterprise_search tool in the past. You might remember that tool being used during the Copirate ASCII Smuggling exploit and using it to search for MFA codes in the user’s inbox.
+A few months back I noticed an interesting update to the M365 Copilot (BizChat) system prompt. In particular, there used to be one enterprise_search tool in the past. You might remember that tool was used during the Copirate ASCII Smuggling exploit to search for MFA codes in the user’s inbox.
I regularly look at how the system prompts of chatbots change over time. Updates frequently highlight new features being added, design changes that occur and potential areas that might benefit from more security scrutiny.
-A few months back I noticed an interesting update to the M365 Copilot (BizChat) system prompt. In particular, there used to be one enterprise_search tool in the past. You might remember that tool being used during the Copirate ASCII Smuggling exploit and using it to search for MFA codes in the user’s inbox.
A few months back I noticed an interesting update to the M365 Copilot (BizChat) system prompt. In particular, there used to be one enterprise_search tool in the past. You might remember that tool was used during the Copirate ASCII Smuggling exploit to search for MFA codes in the user’s inbox.
Dumping the System Prompt
Many chatbots have output filters in place that refuse to return the system prompt verbatim. Here is an example on how that might look like:
It’s not visible in the above screenshot, but Copilot actually started printing the system prompt, but at one point it detected that it shouldn’t leak it and refused to continue and afterwards error message was shown instead.
Oops, was this my outer voice!?!
-It’s not uncommon that companies put output filters in place that monitor for certain words or phrases and overwrite responses. This is happening because the responses are streamed, which makes output filtering more challenging, and often visible to the user.
+It’s not uncommon that companies put output filters in place that monitor for certain words or phrases and overwrite responses. This is happening because the responses are streamed, which makes output filtering challenging, and often visible to the user.
Simple Trick to Help With System Prompt Extraction
-Also, one thing I like doing is to give the Chatbot a hint on where to start. It’s usually quite easy to figure out how the system prompt starts, like “You are ChatGPT”, “I am Microsoft 365 Copilot”,… you get the idea. Once we know that we can very easily trigger the system prompt extractions.
-There are usually two tricks I use to bypass that:
+Also, one thing I like doing is to give the chatbot a hint on where to start. It’s usually quite easy to figure out how the system prompt starts, like “You are ChatGPT”, “I am Microsoft 365 Copilot”,… you get the idea. Once we know that, we can easily trigger the system prompt extractions.
+There are usually two tricks I commonly try:
1. Ask the chatbot to return the system prompt in German (rather than English)
This is how it looks in action:
@@ -158,7 +158,7 @@2. Ask the chatbot
And funny enough I typically copy/paste the xml output and put it into ChatGPT and ask it to remove the xml tags and convert it into a nicely formatted system prompt. If you are curious how the result from ChatGPT looked like, you can find it here.
In the case of M365 Copilot both continue to work well.
Renamed And New M365 Copilot Tools
-With the update to the system prompt sometime in September quite a few changes were introduced. The interesting part was of the system prompt was that it seems Microsoft created many specific search_enterprise_* tools:
With the system prompt updates sometime in September, quite a few changes were introduced. The interesting part was that Microsoft created many search_enterprise_* tools:
designer_graphic_artsearch_enterprise_chat
@@ -166,9 +166,9 @@ search_enterprise_meetings
Renamed And New M365 Copilot Toolssearch_enterprise_files
Quite interesting how the system prompts are changed ofter time, sometimes quite significantly.
+Quite interesting how the system prompts are changed over time, sometimes quite significantly.
The one tool that stood out to me was the designer_graphic_art, because so far, the M365 Enterprise Chat experience (BizChat) did not have an image generation capability.
The tool that stood out to me was designer_graphic_art, because so far, the M365 Enterprise Chat experience (BizChat) did not have image generation capabilities.
Graphic Designer Image Generation
In retrospect it’s unclear when exactly this was introduced. I might have observed it a few days before the official announcement even, but I noticed right away that it seemed to use the Bing “consumer” image generation domain ending in live.com.
It was designerapp.officeapps.live.com.