Security researchers disclosed a critical vulnerability chain on June 15, 2026, dubbed SearchLeak, that weaponizes Microsoft 365 Copilot Enterprise to silently steal sensitive data from a victim's Microsoft 365 environment. The attack requires only that a target click a single specially crafted URL — with no additional user interaction, no file downloads, and no malware installation required.
What Is SearchLeak?
SearchLeak is a chained vulnerability attack targeting the integration between Microsoft 365 Copilot's AI search capabilities and the underlying M365 data stores. When exploited, the attack abuses Copilot's authorized access to organizational data to exfiltrate content on the attacker's behalf.
The attack can target:
- Mailbox data — emails, calendar entries, contact information
- OneDrive files — documents, spreadsheets, media, and personal files
- SharePoint content — internal sites, document libraries, and lists
Critically, the exfiltration occurs through Copilot's own legitimate data access channels — meaning the operation may not trigger traditional data loss prevention (DLP) alerts that look for unusual outbound data flows.
Attack Mechanics
The SearchLeak attack chain exploits the way Microsoft 365 Copilot processes URLs submitted to it:
Step 1: Crafting the Malicious URL
The attacker creates a URL that, when processed by Copilot's search and summarization logic, triggers a sequence of actions that exfiltrate data from the victim's M365 environment. The URL embeds instructions that Copilot's underlying model interprets as legitimate user requests.
Step 2: Delivery to the Victim
The crafted URL is delivered to the target — this could be through:
- A phishing email containing the URL
- A malicious link in a shared document or SharePoint page
- A Teams message or calendar invite containing the link
Step 3: Victim Clicks — One Click, Data Exfiltrated
When the victim clicks the URL and Copilot processes it, the malicious instructions execute within the context of the victim's own M365 session and permissions. Copilot queries the victim's mailbox, OneDrive, and SharePoint, then transmits the retrieved content to an attacker-controlled endpoint.
The victim sees little or no indication that anything unusual has occurred — Copilot's interface may simply display a normal-looking response.
Attacker crafts malicious URL
│
▼
URL delivered via phishing/link
│
▼
Victim clicks URL (1 interaction)
│
▼
Copilot processes URL with victim's M365 permissions
│
├── Queries mailbox → exfiltrates emails
├── Queries OneDrive → exfiltrates files
└── Queries SharePoint → exfiltrates internal data
│
▼
Data sent to attacker-controlled endpoint
Why AI Integration Creates New Attack Surfaces
SearchLeak highlights a structural security challenge with AI assistant integrations in enterprise environments: when a capable AI system is granted broad access to sensitive data and can be influenced by attacker-controlled input, that AI becomes a potential tool for the attacker.
The core issue is a form of prompt injection — attackers embed instructions within content the AI processes, causing it to take actions the victim did not intend. In Copilot's case, the AI's legitimate and authorized data access is turned against the user.
Why Traditional Security Controls Miss This
| Control | Why It May Fail Against SearchLeak |
|---|---|
| Antivirus / EDR | No malware is installed; attack is URL-based |
| Network DLP | Data exfiltration occurs via Copilot's authorized channels, not anomalous outbound connections |
| Email Filtering | The URL itself may not contain known malicious indicators |
| MFA | Does not prevent attacks that occur within an already-authenticated session |
| CASB | May not inspect or block Copilot API interactions depending on configuration |
Microsoft Response
Microsoft was notified of the SearchLeak vulnerability chain and is investigating. Microsoft 365 Copilot is a rapidly evolving product, and the scope and persistence of this issue may change as Microsoft implements mitigations. Users should monitor Microsoft's official security advisory channels for updates.
At time of publication, organizations using Microsoft 365 Copilot Enterprise should apply the mitigations below while awaiting an official patch.
Mitigations
Immediate Actions
- Review Copilot permissions — audit which users have Microsoft 365 Copilot Enterprise enabled; consider temporarily limiting Copilot access to users with the highest data sensitivity requirements until Microsoft issues a fix
- Enable Copilot interaction logging — ensure Microsoft Purview audit logging captures Copilot session data, including prompts and responses, so anomalous Copilot queries can be detected
- Educate users on suspicious links — users should be cautious about clicking unexpected links that trigger Copilot interactions, particularly in emails and Teams messages from external parties
Detection: Copilot Audit Logging
# Enable Copilot audit logging via Microsoft Purview (if not already enabled)
# Run in Exchange Online PowerShell
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
# Search for anomalous Copilot queries in audit log
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-7) `
-EndDate (Get-Date) `
-RecordType CopilotInteraction `
-ResultSize 1000 | `
Where-Object { $_.Operations -match "CopilotDataExfiltration|CopilotQuery" } | `
Select-Object CreationDate, UserIds, Operations, AuditDataConditional Access Hardening
Recommended Copilot access controls:
- Restrict Copilot to Compliant devices only (Intune compliance policy)
- Require re-authentication for Copilot sessions after 1 hour
- Block Copilot access from external/guest accounts
- Enable sensitivity label-based access controls in M365 Copilot settings
Broader Implications for AI Security
SearchLeak is part of a growing class of AI-native attack techniques that abuse the data access privileges granted to AI assistants:
- Indirect prompt injection — attackers plant malicious instructions in content the AI will process (emails, documents, web pages) to redirect AI behavior
- AI-assisted data discovery — AI's ability to rapidly search and summarize large data stores makes it a force multiplier for attackers if they can control its queries
- Authorized channel exfiltration — using AI's own legitimate API access to move data, bypassing controls that look for unauthorized connections
As AI copilots and assistants gain deeper integration with enterprise data, AI security becomes an extension of traditional data security — organizations need visibility into what AI systems are doing with their data, not just what human users are doing.