Attackers tricked Copilot into leaking sensitive data through Bing

The Microsoft 365 Copilot app is displayed on a smartphone — A significant vulnerability has been discovered in Copilot. (Image credit: Getty Images | Thomas Trutschel)

While generative AI has driven remarkable advances in medicine, education, computing, and beyond, it continues to spark serious concerns about security and privacy among users.

Recently, cybersecurity firm Varonis Threat Labs found a way to exploit Microsoft Copilot to steal all sorts of personal and enterprise data, which it dubbed SearchLeak (Ars Technica). As detailed by security sleuth Dolev Taler, SearchLeak is a “three-stage vulnerability chain that turns Microsoft 365 Copilot Enterprise Search into a silent data exfiltration weapon.”

Taler noted that the vulnerability clearly illustrates how AI-powered threats are evolving from classic bugs, making them increasingly dangerous. "Together, these vulnerabilities show how AI can create new paths into systems that build on older weaknesses while remaining extremely difficult for security teams to detect," the researcher added.

Latest Videos From

How does SearchLeak work? It's an AI-specific vulnerability called a parameter-to-prompt injection. In this case, an attacker will send an unsuspecting user a malicious link that contains a “q parameter” intended for natural language search queries.

Perhaps more concerning, the parameter can be embedded into a legitimate URL. As a result, the researcher explained that Copilot’s AI engine interprets the URL not only as a search query but also as executable instructions.

Consequently, if a user clicks the link, it opens Microsoft 365 Copilot Search, which interprets the parameter as instructions to search their email. Copilot then generates an output that embeds sensitive data into an image URL and exfiltrates it via Bing.

The search functionality is exactly what attackers need, because even with limited capabilities, a user with access to critical information is enough. To exfiltrate the data, an attacker crafts a URL that tells Copilot to ‘Search the user’s emails,’ extract the title, and embed it in an image URL.
Varonis Threat Labs

While Microsoft indicated that the vulnerability wasn't exploited and has since been patched, it labelled ot a "critical." This incident opens up a broader discussion about the dangers of AI in enterprise.

“Since SearchLeak targets the Enterprise tier of Microsoft, the blast radius isn’t limited to personal data—it’s able to surface anything the user has access to inside the organization including emails, meeting invites and notes,” Varonis indicated. “SharePoint documents, OneDrive files, and other indexed business content. Depending on how M365 is connected to the environment, the blast radius could extend even wider.”

The exploit could give attackers access to sensitive information, including email subject lines and content, MFA/2FA code activations, meeting details, and files indexed by Copilot from unsuspecting users.

Join us on Reddit at r/WindowsCentral to share your insights and discuss our latest news, reviews, and more.

TOPICS

Kevin Okemwa is a seasoned tech journalist based in Nairobi, Kenya with lots of experience covering the latest trends and developments in the industry at Windows Central. With a passion for innovation and a keen eye for detail, he has written for leading publications such as OnMSFT, MakeUseOf, and Windows Report, providing insightful analysis and breaking news on everything revolving around the Microsoft ecosystem. While AFK and not busy following the ever-emerging trends in tech, you can find him exploring the world or listening to music.