SearchLeak shows why enterprise AI security is now a data-access problem

Varonis disclosed the Microsoft 365 Copilot Enterprise Search vulnerability chain on 15 June. The company said a victim who clicked a crafted Microsoft 365 search link could have had emails, security codes, meeting details and indexed SharePoint or OneDrive files exposed through Copilot's own access to organisational data. The Hacker News, BleepingComputer and Dark Reading reported the same core chain from Varonis's technical write-up.

Microsoft has remediated the issue. The Hacker News reported that Varonis presented a proof of concept rather than evidence of observed exploitation, and that the managed-service fix meant customers did not have a conventional patch to deploy. That matters: the practical lesson is less about emergency patching than about how much data an assistant can reach when the next flaw appears.

The chain had three links. First, Varonis said Copilot Enterprise Search accepted instructions through the q parameter in a Microsoft 365 search URL. In ordinary search, that field should carry a query. In the attack, Varonis said it became a parameter-to-prompt injection route: the URL carried instructions for Copilot to search the victim's mailbox and place selected data into a response.

The second link was timing. Varonis said Copilot streamed output into the browser before its guardrail wrapped generated markup in code formatting. During that gap, an injected image tag could fire an outbound request before the final response was neutralised. BleepingComputer described the same stage as an HTML-rendering race condition: the browser acted on the image request while Copilot was still producing the answer.

The third link moved the data past the page's content-security policy, the browser rule that restricts where a page can load resources from. Varonis said the page allowed Bing image requests, and Bing's search-by-image endpoint fetched attacker-controlled URLs from Microsoft's own infrastructure. That turned Bing into a server-side request forgery path. In plain terms, the browser was allowed to call Bing, and Bing then called the attacker's server with stolen text embedded in the URL path.

Each weakness was limited on its own. Together, they mattered because Copilot Enterprise Search works across the signed-in user's Microsoft Graph permissions. Dark Reading reported that the attack could reach files and business content the user could access, including OneDrive and SharePoint material. The Hacker News wrote that the same access path could expose time-sensitive inbox data such as one-time codes and password-reset links.