Microsoft patches critical Copilot flaw that let hackers steal 2FA codes with one click

Reviewed byNidhi Govil

5 Sources

Share

Microsoft fixed a max-severity vulnerability in its M365 Copilot AI platform that allowed attackers to exfiltrate 2FA codes and sensitive data through a crafted URL. Security researchers at Varonis discovered the exploit chain, dubbed SearchLeak, which combined prompt injection with HTML rendering flaws to bypass Microsoft's guardrails. The vulnerability highlights how AI systems struggle to distinguish between legitimate user instructions and malicious commands embedded in third-party content.

Microsoft Copilot Vulnerability Exposes Critical Security Gap in AI Systems

Microsoft patched a Microsoft Copilot vulnerability on June 4 that security researchers rated as maximum severity: critical

1

. The flaw, assigned CVE-2026-42824, allowed attackers to steal sensitive data including 2FA codes, passwords, calendar events, and documents from Microsoft 365 Copilot Enterprise users through a specially crafted link

2

. Researchers at Varonis Threat Labs discovered the exploit chain and named it SearchLeak, demonstrating how a single click could turn Copilot into a data exfiltration tool without requiring victims to type anything or authenticate

4

.

Source: Digit

Source: Digit

The vulnerability exposed a fundamental challenge facing Microsoft and other AI providers: AI models cannot distinguish between instructions from legitimate users and malicious commands hidden in third-party content they process. This incurable weakness forces companies to build complicated guardrails that attackers repeatedly find ways to circumvent

1

.

How SearchLeak Bypassed Multiple Security Layers

Varonis researchers developed SearchLeak by chaining three distinct weaknesses that individually posed minimal risk but proved devastating when combined

2

. The attack exploited a parameter-to-prompt injection, where malicious instructions were embedded in the 'q' query parameter of a Microsoft 365 Copilot Search URL rather than in email content or other untrusted sources

3

.

The crafted malicious URL instructed Copilot to search the victim's emails, extract specific information like titles or access codes, and embed the stolen data in an image URL. When victims clicked the link on the legitimate microsoft.com domain, Copilot executed these instructions automatically, making traditional anti-phishing and URL filtering tools ineffective at detecting the threat

3

.

Source: Futurism

Source: Futurism

The second component exploited an HTML rendering race condition that occurred during Copilot's response generation. Microsoft built guardrails to wrap output in code blocks so browsers would treat markup as plain text, but this protection only activated after Copilot finished its "thinking" phase

1

. During streaming, Copilot generated responses using raw HTML that was temporarily rendered in the browser DOM. When an image tag appeared in the stream, the browser immediately fired an HTTP request to fetch it before the guardrail could wrap everything in protective code blocks

2

.

Bing Becomes Unwitting Accomplice in Data Exfiltration

The third link in the SearchLeak chain leveraged server-side request forgery through Bing's "Search by Image" feature to bypass content security policies

3

. While Copilot's security policy blocked image requests to most external domains, Bing remained on the allowlist as a trusted Microsoft property. Attackers exploited this trust by routing their data exfiltration requests through Bing, which would then fetch images from attacker-controlled servers with stolen information encoded in the URL path

1

.

The complete attack sequence worked seamlessly from the victim's perspective. After clicking the link, users would only see Copilot "thinking" momentarily with no indication that their data was being exfiltrated to external servers where attackers could read it from request logs

2

.

Enterprise-Wide Impact and AI Security Implications

Because SearchLeak targeted Microsoft 365 Copilot Enterprise, the blast radius extended far beyond personal data to encompass anything users could access within their organizations

1

. The critical vulnerability in M365 Copilot put emails, meeting invites and notes, SharePoint documents, and OneDrive files at risk. The most time-sensitive targets included one-time codes, multi-factor authentication tokens, and password-reset links that remained valid for several minutes after being sent

3

.

Dolev Taler, the Varonis researcher credited in Microsoft's advisory, had previously disclosed a similar attack called Reprompt against Copilot Personal in August 2025, which Microsoft patched in January 2026

3

. SearchLeak held up against Enterprise Search despite the additional guardrails that tier was designed to enforce, demonstrating the persistence of this vulnerability class.

Source: BleepingComputer

Source: BleepingComputer

The AI security flaw follows a pattern established by EchoLeak, a zero-click Copilot vulnerability disclosed by Aim Security in 2025 and tracked as CVE-2025-32711 with a CVSS score of 9.3

3

. Unlike SearchLeak, EchoLeak required no user interaction, embedding prompt injection attacks in documents that Copilot processed automatically.

The Prompt Injection Problem Has No Permanent Fix

Varonis emphasized that familiar bug classes like server-side request forgery and HTML injection race conditions, which security teams have mitigated for years, become potent weapons when prompt injection creates new pathways to exploit them

2

. The fundamental issue remains that AI systems accept natural language queries that can contain hidden instructions, and these systems cannot reliably distinguish between legitimate commands and malicious ones

3

.

Microsoft fixed the vulnerabilities that SearchLeak exploited and found no evidence that customers were affected

5

. Because Copilot Enterprise operates as a managed service, no customer action was required for the mitigation

3

. However, with no known way to fix the underlying cause that allows AI models to confuse user instructions with malicious commands in third-party content, attackers will inevitably find new methods to circumvent newly constructed guardrails

1

.

Cybersecurity experts should watch for similar exploit chains targeting other AI assistants that process user data and accept natural language instructions. Organizations using AI models for sensitive operations need to understand that these systems create new attack surfaces where old vulnerability classes gain renewed potency. The cycle of discovering prompt injection variants, building guardrails, and watching attackers breach them appears set to continue as AI systems become more deeply integrated into enterprise workflows.

Today's Top Stories

© 2026 TheOutpost.AI All rights reserved