Microsoft Copilot SearchLeak: One Click Exfiltrates All Indexed Enterprise Data via LLM Prompt Injection
Summary
Key Takeaways
Varonis Threat Labs discovered SearchLeak, a three-stage attack chain targeting Microsoft 365 Copilot Enterprise. Stage 1: P2P injection embeds malicious parameters in URLs, which Copilot's LLM interprets as search instructions. Stage 2: HTML rendering race condition dynamically embeds sensitive data into image URLs during rendering. Stage 3: SSRF via Bing bypasses CSP because image URLs point to bing.com, a trusted Microsoft domain, evading traditional URL filters.
Attackers can exfiltrate all indexed enterprise data: emails, SharePoint documents, OneDrive files, and meeting invites. The chain exploits LLM trust in user input and cross-service trust boundaries (Copilot trusts Bing, Bing trusts Microsoft domains). Microsoft released a patch but did not disclose details.
Additionally, Microsoft confirmed CVE-2026-50656 in Defender malware engine (CVSS 7.8), a TOCTOU race condition allowing attackers to gain SYSTEM privileges by swapping files during scanning.
Why It Matters
SearchLeak redefines the enterprise attack surface: LLMs become a new data exfiltration vector via trusted service chains. Traditional security models fail because Copilot interprets URLs as search instructions, not links, bypassing URL filters and DLP. The SSRF via Bing exploits cross-service trust (Copilot→Bing→Microsoft domain), making exfiltration traffic indistinguishable from legitimate Bing requests.
Key flaws: 1) LLM semantic interpretation of URLs renders all URL-based security policies useless. 2) Indexed data scope equals attack surface; Microsoft offers no granular indexing controls. 3) Patch opacity leaves enterprises unable to verify completeness, especially given LLM non-determinism. 4) Defender TOCTOU vulnerability (CVE-2026-50656) enables SYSTEM-level access, potentially masking SearchLeak detections, creating a combined data theft and privilege escalation chain.
PRO Decision
Vendors (Google, Slack, Salesforce): Immediately audit your LLM-integrated products for similar P2P injection and SSRF patterns. Implement semantic input validation to prevent URL parameters from being interpreted as instructions. Use this event to promote zero-trust AI agent architectures, highlighting Microsoft's trust chain flaws.
Enterprises: 1) Pause Copilot on sensitive data until Microsoft provides detailed patch verification. 2) Demand granular indexing controls (tenant/site/file level). 3) Deploy anomaly detection on Bing traffic to monitor image URL exfiltration. 4) Evaluate on-premise LLM alternatives (e.g., Llama, Mistral) to avoid trust chain risks. 5) Prioritize TOCTOU patch due to SYSTEM-level privilege escalation.
Investors: Ignore Microsoft's PR. SearchLeak reveals systemic security flaws in LLM integration, not an isolated bug. Focus on AI security audit and zero-trust startups (Wiz, SentinelOne, Zscaler AI modules) rather than single-vendor LLM platforms.
Get 3-5 key AI infrastructure signals weekly →
💬 Comments (0)