Microsoft Copilot contained a severe vulnerability that researchers at Varonis dubbed SearchLeak, allowing attackers to steal two-factor authentication codes and sensitive corporate data through a novel Parameter-to-Prompt Injection technique.

The exploit works by sending victims a malicious link containing hidden instructions. When clicked, Copilot searches the user's emails and embeds extracted data in image URLs. Since guardrails only activate after the AI finishes processing, browsers render the HTML first and fire off requests before protections engage.

Attackers circumvented Copilot's content restrictions by routing stolen data through Bing search engine, which the AI trusts for image requests. This allowed exfiltration of emails, meeting invites, SharePoint documents, and OneDrive files accessible to the compromised user.

Varonis noted the attack specifically targets Microsoft's Enterprise tier, making the potential impact far more severe than consumer data exposure. While Microsoft patched these vulnerabilities on Tuesday, researchers warn this incident reveals fundamental weaknesses in how LLM security is approached across the industry.