Microsoft Copilot SearchLeak Shows How AI Can Turn User Permissions Into Security Risks

WorkAI.TV Editorial Desk
4 Min Read

Share with your CISO

Microsoft’s Copilot carried a critical vulnerability, now patched, that let attackers steal 2FA codes and confidential files with a single user click. Dolev Taler at Varonis Threat Labs discovered SearchLeak (CVE-2026-42824) in mid-June 2026, and Microsoft closed it on the backend by June 4 with no user-side action required. No confirmed in-the-wild exploitation occurred. But the mechanics matter: the attack used indirect prompt injection through a crafted URL to force Copilot, operating under the victim’s full permissions, to retrieve and exfiltrate inbox data, OneDrive files, and SharePoint documents before DLP controls could intervene.

What this means for your business

The recurring failure mode in enterprise AI security looks like this: organizations audit what users can access, then hand an AI agent identical access rights without auditing what the agent will actually do with them. SearchLeak exposed that gap precisely. Copilot didn’t need elevated privileges to cause a critical-severity breach. It just needed the ordinary permissions your finance team or executive suite already holds, and an attacker willing to embed instructions in a URL.

Microsoft rated this “max severity: critical” despite a CVSS score of only 6.5 (medium), and that gap is the analytical point worth holding. CVSS measures technical exploitability in isolation. Microsoft measured the business blast radius: enterprise-wide account takeover through a tool most large organizations have deployed broadly, across Outlook, Teams, SharePoint, and OneDrive simultaneously. When an AI agent sits at the intersection of every data store an employee can reach, a single retrieval-layer flaw becomes a master key. That’s a category of risk that traditional DLP and sensitivity labels were never designed to contain.

The signal worth watching: SearchLeak is the first documented case of an AI assistant being weaponized for enterprise data exfiltration at this scale, but the underlying attack class, indirect prompt injection through external content the AI retrieves, applies to any agentic system that browses, summarizes, or acts on untrusted input. This won’t stay a Microsoft problem. Every enterprise deploying AI agents with broad data access is building the same attack surface. The question isn’t whether your current AI vendors have patched their known vulnerabilities. It’s whether your permission governance would contain the next one before researchers find it.

Concept deep-dive: Indirect prompt injection

Standard prompt injection means a user types a malicious instruction into an AI. Indirect prompt injection means the attacker never touches the user at all: they embed instructions inside content the AI retrieves from an external source, a webpage, a document, a calendar invite. The AI reads the content, treats embedded commands as legitimate instructions, and acts on them with the victim’s credentials. Think of it as poisoning the well rather than bribing the courier. For any AI agent that fetches and processes external data, the attack surface is every URL or file it can reach.

Based on reporting from Microsoft Copilot SearchLeak Shows How AI Can Turn User Permissions Into Security Risks, originally published 2026-06-20 19:46:00.

Share This Article