While generative AI has driven remarkable advances in medicine, education, computing, and beyond, it continues to spark serious concerns about security and privacy among users.
Recently, cybersecurity firm Varonis Threat Labs found a way to exploit Microsoft Copilot to steal all sorts of personal and enterprise data, which it dubbed SearchLeak (Ars Technica). As detailed by security sleuth Dolev Taler, SearchLeak is a “three-stage vulnerability chain that turns Microsoft 365 Copilot Enterprise Search into a silent data exfiltration weapon.”
Taler noted that the vulnerability clearly illustrates how AI-powered threats are evolving from classic bugs, making them increasingly dangerous. “Together, these vulnerabilities show how AI can create new paths into systems that build on older weaknesses while remaining extremely difficult for security teams to detect,” the researcher added.
How does SearchLeak work? It’s an AI-specific vulnerability called a parameter-to-prompt injection. In this case, an attacker will send an unsuspecting user a malicious link that contains a “q parameter” intended for natural language search queries.
Perhaps more concerning, the parameter can be embedded into a legitimate URL. As a result, the researcher explained that Copilot’s AI engine interprets the URL not only as a search query but also as executable instructions.
Consequently, if a user clicks the link, it opens Microsoft 365 Copilot Search, which interprets the parameter as instructions to search their email. Copilot then generates an output that embeds sensitive data into an image URL and exfiltrates it via Bing.
The search functionality is exactly what attackers need, because even with limited capabilities, a user with access to critical information is enough. To exfiltrate the data, an attacker crafts a URL that tells Copilot to ‘Search the user’s emails,’ extract the title, and embed it in an image URL.
Varonis Threat Labs
While Microsoft indicated that the vulnerability wasn’t exploited and has since been patched, it labelled ot a “critical.” This incident opens up a broader discussion about the dangers of AI in enterprise.
“Since SearchLeak targets the Enterprise tier of Microsoft, the blast radius isn’t limited to personal data—it’s able to surface anything the user has access to inside the organization including emails, meeting invites and notes,” Varonis indicated. “SharePoint documents, OneDrive files, and other indexed business content. Depending on how M365 is connected to the environment, the blast radius could extend even wider.”
The exploit could give attackers access to sensitive information, including email subject lines and content, MFA/2FA code activations, meeting details, and files indexed by Copilot from unsuspecting users.
Join us on Reddit at r/WindowsCentral to share your insights and discuss our latest news, reviews, and more.