A critical vulnerability in Microsoft 365 Copilot Enterprise Search, dubbed “SearchLeak” by researchers, allowed attackers to potentially exfiltrate sensitive user data, including emails and calendar details, with a single click. This discovery highlights a new attack vector chaining together existing web vulnerabilities with an AI-specific weakness.
Varonis Threat Labs researchers identified and chained three distinct bugs to create a one-click path for data exfiltration. The exploit leveraged a trusted Microsoft domain, making it exceptionally adept at bypassing conventional anti-phishing and URL filtering solutions. Microsoft has since mitigated the vulnerability on its backend, assuring customers that the threat is no longer active, though the initial CVSS scores varied between 6.5 and 7.5. Varonis presented a proof-of-concept demonstrating the flaw’s potential without reporting observed exploitation.
SearchLeak: A Chained Vulnerability in Microsoft 365 Copilot
The SearchLeak vulnerability is characterized as a command injection flaw that enables information exposure over a network. According to Varonis, the exploit combines an AI-specific weakness with two older web bugs, requiring a sequential link-based attack. The success of the chain relies on each link setting up the next stage of the attack.
The exploitation begins with the ‘q’ parameter within a Copilot Enterprise Search URL. This parameter is intended for natural language queries, but in this instance, Copilot interpreted whatever was entered as direct instructions rather than a simple search string. Varonis described this initial stage as “Parameter-to-Prompt injection.” An attacker could craft a malicious URL that instructed Copilot to perform specific actions, such as searching a user’s mailbox and embedding an email title directly into an image URL. The victim would only need to click this link for the process to initiate.
Following the prompt injection, the vulnerability exploits a race condition in how Copilot’s responses are rendered. Microsoft employs a security measure that wraps Copilot output within `` blocks to ensure the browser treats generated markup as plain text. However, the timing of this sanitization process proved problematic. The wrapping occurred after Copilot had finished generating its response, but the browser began rendering the data stream as it arrived. This meant an injected `` tag could initiate its request and fire off before the sanitizer could neutralize it. By the time the output was made safe, the malicious request had already been sent.
The final link in the chain addresses the Content Security Policy (CSP) of the targeted page, allowing the exfiltrated data to bypass its restrictions. While the CSP on m365.cloud.microsoft typically blocks images from arbitrary external domains, it specifically allowlists *.bing.com. The exploit capitalized on Bing's "Search by Image" endpoint, which accepts an image URL and retrieves it server-side for analysis. By directing this fetch request to an attacker-controlled server, with the stolen text encoded within the URL path, Bing inadvertently retrieved the data. Crucially, the browser's CSP restrictions did not apply because the request originated from Bing's infrastructure, effectively turning Bing into an exfiltration proxy and leveraging the CSP allowlist for concealment.
The combined effect is a seamless, one-click attack. A victim clicks the link, Copilot searches their data, and the query's output, such as an email subject, is embedded into a Bing image URL. As the browser streams the response, it makes a call to Bing, which in turn fetches the attacker's URL. The attacker can then examine their server logs to retrieve the exfiltrated information, often appearing as a request for a file like "/Your_Security_Code_847291/img.png."
Implications for Enterprise Security
The data accessible via Copilot Enterprise Search is extensive, mirroring the permissions of the signed-in user through Microsoft Graph. Attackers inheriting these permissions circumvent the need for direct login credentials. The most immediate risk involves time-sensitive data found in inboxes, such as one-time passcodes for multi-factor authentication (MFA) or password-reset links, which often remain valid for a short period. A script monitoring attacker logs could potentially intercept these codes and hijack accounts before any suspicion arises.
Beyond immediate authentication tokens, the vulnerability extends to other sensitive information. Calendar invites, meeting notes, and indexed files from SharePoint or OneDrive, which might contain proprietary data such as salary figures, earnings reports, or acquisition plans, are also at risk. This discovery marks the second time Varonis researchers have demonstrated this particular attack pattern. Varonis researcher Dolev Taler previously showcased a similar one-click technique in an earlier "Reprompt" attack against Copilot Personal, and its effectiveness against the purportedly more robust Enterprise Search underscored the seriousness of the flaw.
This exploitation method echoes aspects of "EchoLeak," a zero-click Copilot data-leak bug disclosed by Aim Security in 2025. While server-side request forgery (SSRF) and sanitizer race conditions are well-established vulnerability classes, the introduction of prompt injection significantly broadens their applicability to new AI-powered tools.
Microsoft has implemented backend mitigations for this specific SearchLeak vulnerability. As Copilot Enterprise is a managed service, tenant administrators cannot directly patch or reconfigure the affected components. Their primary recourse lies in heightened monitoring and containment strategies. Organizations should scrutinize Copilot Search URLs for embedded encoded payloads or HTML within the 'q' parameter, and monitor for unusual outbound requests directed at Bing's image endpoints. Additionally, tightening data access governance to limit the scope of information indexed by Copilot can effectively reduce the potential impact of any future data exfiltration incidents.