SearchLeak attack turns Copilot Enterprise into an insider threat - Computing UK

SearchLeak attack turns Copilot Enterprise into an insider threat Varonis researchers demonstrate how your friendly AI assistant can be tricked into giving away your secrets John Leonard 16 June 2026 • 3 min read SHARE Researchers at security firm Varonis have demonstrated a proof-of-concept attack on Microsoft 365 that uses Copilot Enterprise Search as an unwitting insider to potentially steal sensitive information from emails, OneDrive or SharePoint. The vulnerability, which they have named SearchLeak, chains together three separate types of bug. What makes it so potentially dangerous is that the entire chain is triggered by a single click on a legitimate-looking Microsoft link. No authentication bypass, privilege escalation or malware is required. At the root of the issue is the way that Copilot Enterprise Search treats URLs. It will blindly execute instructions hidden in the query string as prompts. Copilot Enterprise Search has access to the user’s data across the M365 ecosystem, including emails and storage, and can be prompted to return any relevant content it finds. Parameter-to-prompt injection is a known issue, and Microsoft has guardrails in place to prevent it. However, by inducing an HTML race condition - the second link in the chain - the researchers were able to force Copilot to act on the malicious prompt before the output sanitisation mechanisms kicked in, embedding the output from the malicious prompt in <img> tags. The third link in the chain, server-side request forgery (SSRF), relies on the default permissions granted to the Bing search engine. Bing fetches the supposed image (which in reality contains the returned data) and retrieves it from an attacker-controlled server, effectively acting as a proxy. "The result: a victim in a Copilot Enterprise tenant clicks a link → Copilot searches their mailbox, calendar, and indexed organisational content → the data ends up on the attacker's server," Varonis researchers explain in a blog post. "No plugins, no special permissions, no second click. The link is to a trusted domain (microsoft.com), so traditional anti-phishing and URL protection tools don’t block or filter it." Induced HTML race conditions and SSRF are familiar classes of vulnerability, the researchers note, but parameter-to-prompt (P2P) injection allows them to be chained together in new ways. "That's the AI-native piece. It's the new attack surface that makes the classic bugs exploitable in a way they wouldn't be otherwise." They continue: "Without P2P, you can't get attacker-controlled HTML into the response. Without the race condition, the HTML gets neutralised. Without the SSRF, the CSP [content security policy] blocks the exfiltration. Each link in the chain is necessary, and the AI component is what ties them together." Microsoft has now fixed the vulnerability server-side, meaning there is nothing users need to do. However, security teams are advised to monitor for suspicious Copilot Search URLs and revisit allowlists to reduce the risk of abuse for data exfiltration. Users should also be wary of clicking on long Microsoft 365 URLs with encoded parameters.