Microsoft has identified a new kind of side-channel attack capable of exposing the topics of encrypted conversations with remote language models, even when protected by Transport Layer Security (TLS).
Dubbed a streaming inference attack, the method allows an observer with access to network traffic (such as an ISP, local network monitor, or malicious actor on public Wi-Fi) to infer what a user is talking about with an AI system. The discovery underscores the growing privacy stakes around AI-powered chatbots now woven into everything from customer service to legal and healthcare assistance.
Even with end-to-end encryption in place, network-level observers can learn more than we’d like to think, Microsoft said in a disclosure, adding that it worked with multiple vendors to mitigate the risk and verified that Microsoft-owned language model frameworks are protected.
What the Attack Does
The vulnerability exploits the size and timing of encrypted data packets during streaming-mode responses, the same mechanism that makes chatbots feel real-time. Because models generate text token by token, the resulting pattern of data packets creates a kind of digital fingerprint unique to each topic.
In tests, Microsoft researchers trained classifiers to tell the difference between sensitive and non-sensitive prompts based only on packet metadata. Even in scenarios that simulated surveillance of 10,000 encrypted conversations, the classifiers correctly identified topics like money laundering with up to 98% accuracy, without ever decrypting the traffic.
That means a well-positioned adversary could feasibly identify people discussing politically sensitive or restricted topics, such as protest movements, banned material, or journalism, even in supposedly secure channels.
Coordinated Industry Response
Following responsible disclosure, OpenAI, Microsoft, Mistral, and xAI have deployed countermeasures. These include injecting randomized “noise” (extra or obfuscated text chunks) into model outputs to mask telltale traffic patterns. Microsoft confirmed that such mitigations limit the attack’s effectiveness to levels no longer considered practical.
Both OpenAI’s “obfuscation” field and Mistral’s new “p” parameter are now live, helping conceal packet-size correlations in real-time chat streams.
Microsoft’s findings highlight how security must extend beyond encryption to cover timing, volume, and behavioral data. In the evolving landscape of AI communications, confidentiality isn’t just about what’s said, but how, when, and how often it’s transmitted.
The company has published proof-of-concept data and tools under the Whisper Leak repository to help further research.
Practical Weaponization
Michael Bell, Founder & CEO, at Suzu Labs, says: “What’s new is the scale and practical weaponization. The earlier research inferred token lengths, but Whisper Leak classifies entire conversation topics with 98%+ accuracy across production LLM services. Microsoft moved this from academic research to operational threat, showing passive adversaries can identify if you’re discussing sensitive topics without breaking encryption.”
He adds that security pros should pay attention because this isn’t patchable this time. It’s architectural, most providers haven’t implemented mitigations, and encrypted AI conversations are leaking topic metadata right now.
You can read Microsoft’s full technical report here.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.