Key facts
- A vulnerability in Microsoft Copilot, named SearchLeak, allowed attackers to exfiltrate user data.
- Attackers crafted a URL that instructed Copilot to search user emails and embed the title in an image URL.
- The exploit bypassed Copilot's output guardrails by leveraging the rendering of raw HTML before protection mechanisms engaged.
- Microsoft's Bing search engine was used as a relay to send requests to attacker-controlled domains.
- The vulnerability impacted the Enterprise tier of Microsoft 365, potentially exposing emails, meeting invites, documents, and other indexed content.
- Microsoft has patched the vulnerabilities.
Researchers have identified a critical vulnerability in Microsoft Copilot, dubbed SearchLeak, that enabled attackers to exfiltrate sensitive user data. The attack exploits Copilot's search functionality by tricking users into clicking a specially crafted URL. This URL contains an instruction that prompts Copilot to search for specific information, such as a user's emails, and embed the title of the search result into an image URL.
The vulnerability arises because Copilot's output guardrails, which normally wrap responses in code blocks, activate only after the AI has finished processing. In the interim, Copilot generates its response using raw HTML, which is rendered in the browser's DOM. This allows an image tag within the response to be rendered and send an HTTP request to a source URL before the guardrail is applied.