if I understand it correctly, user's prompt does not need to be related to the specific malicious email. It's enough that such email was "indexed" by Copilot and any prompt with sensitive info request could trigger the leak.
I think "zero-click" usually refers to the interaction with the malicious software or content itself, which in this case you don't have to interact with. I'd say the need to start an interaction with Copilot here could be compared to the need to log into your computer for a zero-click malware to become effective. Alternatively, not starting the Copilot interaction is similar to not opening your browser and thus being invulnerable to a zero-click vulnerability on a website. So calling this a zero-click in Copilot is appropriate, I think.
Yeah, that's my view also. zero-click is about the general question of can you get exploited by just exercising a certain (on by default) feature.
Of course you need to use the feature in the first place, like summarize an email, extract content from a website,...
However, this isn't the first zero-click exploit in an AI app. we have seen exploits like this in LLM apps of basically all major AI app over the last 2+ years ago (including Bing Chat, now called Copilot).
No, zero click requires no interaction from the user. For a hypothetical example simply having a phone on a cellular network and being susceptible to base-band attacks. No interaction needed, just existing.
Agree with other comments here - no need for the user to engage with anything from the malicious email, only to continue using their account with some LLM interactions. The account is poisoned even for known safe self initiated interactions.
