Microsoft Copilot Vulnerability Exposes Sensitive Data
Cybersecurity researchers at Varonis Threat Labs have discovered a vulnerability in Microsoft 365 Copilot Enterprise Search, allowing attackers to extract sensitive data, including emails and two-factor authentication codes. The vulnerability, named SearchLeak, affects the Enterprise tier of Microsoft 365 and can expose business content, including emails, meeting invites, and documents. Microsoft has yet to comment on the issue.
Key points
- Varonis Threat Labs discovered a vulnerability in Microsoft 365 Copilot Enterprise Search, dubbed SearchLeak.
- The vulnerability allows attackers to extract sensitive data, including emails, two-factor authentication codes, and business content.
- SearchLeak affects the Enterprise tier of Microsoft 365 and can expose content with user access, including emails, meeting invites, and documents.
- The vulnerability involves a three-stage attack chain, including a new AI-specific vulnerability, Parameter-to-Prompt Injection (P2P), and two web bugs.
- Microsoft has not commented on the issue, but the vulnerability has been reported by Varonis Threat Labs.
A recent discovery by cybersecurity researchers at Varonis Threat Labs has highlighted a vulnerability in Microsoft 365 Copilot Enterprise Search. Dubbed SearchLeak, the vulnerability allows attackers to extract sensitive data, including emails and two-factor authentication codes.
The vulnerability affects the Enterprise tier of Microsoft 365 and can expose business content, including emails, meeting invites, and documents. According to Varonis, the vulnerability involves a three-stage attack chain, including a new AI-specific vulnerability called Parameter-to-Prompt Injection (P2P), and two web bugs.
The implications of this vulnerability are significant, as it can expose sensitive data with user access. Depending on how Microsoft 365 is connected to the environment, the blast radius could extend even wider. Microsoft has yet to comment on the issue, but the vulnerability has been reported by Varonis Threat Labs.
This discovery highlights the ongoing threat of cybersecurity vulnerabilities in AI-powered systems. As AI assistants and chatbots become increasingly prevalent, the risk of data breaches and attacks will continue to grow. It is essential for companies to prioritize cybersecurity and invest in robust protection measures to prevent such vulnerabilities.
Sources
The WireByte editorial team synthesises technology news from multiple primary sources, verifies the facts, and links every source. Articles are produced with AI assistance and reviewed under our editorial policy.