A now patched flaw in Microsoft 365 Copilot let attackers turn its diagram tool, Mermaid, into a data exfiltration channel–fetching and encoding emails through hidden instructions in Office documents.