A single malicious link, and an enterprise's entire digital estate could be laid bare. That is the alarming takeaway from SearchLeak, a just-disclosed vulnerability chain in Microsoft 365 Copilot Enterprise that Varonis Threat Labs revealed on June 15, 2026. The flaw, now patched by Microsoft, allowed attackers to weaponize Copilot's powerful search and summarization capabilities, tricking the AI assistant into scouring emails, documents, Teams messages, and more — all from nothing more than a crafted URL sent to a target.

SearchLeak is a wake-up call for the rapid enterprise adoption of AI copilots. It demonstrates that the very features making these tools indispensable — seamless access to organizational data for real-time answers — can be perverted into a built-in exfiltration engine if the underpinning authentication and authorization controls fail. Varonis's research not only details a critical technical flaw but also lays bare a systemic risk: as AI gains unfettered access to sensitive data, the attack surface expands exponentially, and traditional security perimeters collapse.

What is SearchLeak?

SearchLeak is the name Varonis Threat Labs assigned to a chain of two vulnerabilities in Microsoft 365 Copilot Enterprise. The core issue centered on how Copilot handled specific URL parameters when processing hyperlinks shared within a tenant. By crafting a malicious link that pointed to a legitimate-looking but attacker-controlled domain, a threat actor could force Copilot to perform an unauthorized search of the target's Microsoft 365 environment and exfiltrate the results.

The vulnerability chain exploited a combination of server-side request forgery (SSRF) and insufficient sanitization of user-supplied input in Copilot's document processing pipeline. When a user clicked the link — or in some scenarios, merely previewed a message containing it — Copilot would automatically read the link's content, interpret embedded instructions, and execute a search across the user's accessible data without any visible prompt or consent dialog.

Because Copilot Enterprise is designed to answer questions by indexing and retrieving information from across Microsoft 365 — including Outlook emails, SharePoint files, OneDrive, and Teams chats — an attacker could query for highly sensitive information such as “passwords,” “confidential financials,” or “merger discussions,” and receive a neat, LLM-generated summary containing the raw data.

How the Vulnerability Chain Worked

Varonis researchers laid out a two-stage attack flow. The first stage was an SSRF vulnerability in Copilot’s link-preview function. When a user sends a link in Teams, Outlook, or any other Microsoft 365 app where Copilot is active, the AI automatically fetches the target page to generate a rich preview. The flaw allowed an attacker to manipulate the link’s destination so that Copilot’s fetch request was directed to an internal Microsoft 365 API endpoint, not an external website.

Specifically, by appending specially crafted query parameters to the URL — such as &search=password or &scope=filedata — the attacker could transform the preview fetch into an authenticated API call to the Microsoft Graph or Copilot’s own indexing service. Because Copilot runs with the session context of the user who triggered the preview, the request would carry that user’s privileges.

The second stage exploited a flaw in how Copilot processed the response from that internal API. Normally, results from a search API would be rendered to the user in a chat interface. But by chaining the SSRF with a redirect to an external attacker server containing a hidden inline frame, the researchers found that Copilot could be tricked into sending the raw search results — unredacted and unsanitized — to an attacker-controlled endpoint.

All an attacker needed was to get a single victim inside the organization to click a link. In many email and chat scenarios, that is trivially achieved through social engineering. Worse, the exploit could be executed without the victim realizing anything was amiss; Copilot’s normal UI would show no indication a search had occurred, and the malicious link could be disguised as a routine business document or news article.

Impact and Data-Access Risks

The potential blast radius of SearchLeak is sobering. Copilot Enterprise is architected to access all data that a user can see, and it relies on Microsoft 365’s permissions model. However, many organizations over-provision access, and users often have broad visibility into file stores, shared mailboxes, and Teams channels. An attacker compromising a single mid-level employee account could query for executive communications, HR records, intellectual property, or financial statements.

Varonis demonstrated proof-of-concept attacks that retrieved:
- Executive email threads containing board-level strategy discussions.
- Passwords and API keys stored in plaintext within SharePoint documents.
- M&A deal room documents and legally sensitive communications.
- Employee health information from HR portals integrated into Microsoft 365.

Because Copilot summarizes information, the output could distill thousands of documents into a concise, easily exfiltrated paragraph. This dramatically lowers the barrier for data theft; attackers no longer need to download terabytes of files — they can grab a neat summary of the crown jewels in a single HTTP request.

The vulnerability also posed a lateral movement risk. By querying for shared credentials or configuration files, an attacker could pivot from an initial low-privilege compromise to a domain administrator within minutes.

Microsoft’s Response and the Patch

Varonis privately disclosed SearchLeak to Microsoft’s Security Response Center (MSRC) on March 12, 2026. Microsoft acknowledged the severity and began developing a fix, which was deployed globally to all Copilot Enterprise instances by June 1, 2026, before the public disclosure.

The patch addressed both the SSRF and the data exfiltration path. Microsoft hardened Copilot’s URL parser to reject requests to internal IP ranges, enforced strict validation on query parameters, and implemented a same-origin policy for any data retrieved through link previews. Additionally, Copilot now requires explicit user confirmation before executing any search that could return sensitive information from outside the immediate conversation context.

Microsoft also issued guidance (CVE-2026-4872) and encouraged administrators to audit Copilot permissions, enable sensitivity labels, and restrict link previewing in high-security environments. The company emphasized that no customer data was known to have been compromised before the fix.

Broader Implications for AI Security

SearchLeak is not an isolated glitch; it embodies a class of vulnerabilities that will proliferate as large language model (LLM) agents gain more autonomy and deeper data integration. AI assistants like Copilot are designed to break down data silos — and in doing so, they become a single point of access for sensitive information. If an attacker can coerce the AI into acting on their behalf, they inherit the user’s entire data estate.

This incident recalls earlier LLM prompt injection attacks, such as those against ChatGPT plugins and Google Bard extensions. But SearchLeak is more dangerous because it does not require prompt injection; the exploit works at the transport layer, manipulating URLs and network requests, making it invisible to content-based guardrails.

The vulnerability also highlights the perils of “ambient authority” in AI systems. Copilot operates with the full context of the logged-in user, and because it is designed to be helpful and minimize friction, it often performs actions without explicit consent. Security architects now face a dilemma: how to balance usability with robust isolation.

Industry reactions have been swift. Jake Williams, a former NSA hacker and now vice president of R&D at SANS, noted: “SearchLeak is the nightmare scenario we’ve been warning about. When you give an AI the keys to the kingdom, the kingdom is only as secure as the AI’s input validation. This is just the first wave.”

CISOs at large financial institutions and healthcare providers are revisiting their Copilot rollout timelines. “We paused our production deployment of Copilot Enterprise after hearing about this,” said one Fortune 500 security lead who asked not to be named. “The risk of a single click exposing our entire M365 environment is unacceptable until we can implement comprehensive monitoring.”

Expert Perspectives and Lessons Learned

Security researchers have long cautioned that AI copilots would become prime targets. The fundamental issue is that LLMs are inherently probabilistic and cannot be fully trusted with deterministic access control. As Varonis’s report states, “Input sanitization alone cannot solve the problem when the AI’s very purpose is to reach into every corner of the user’s data universe.”

Several critical lessons emerge:

  • Least privilege is non-negotiable. Organizations must ruthlessly prune user permissions and apply just-in-time access. Copilot will only find what users are allowed to see, so over-permissioning directly expands the blast radius.
  • Link handling must be paranoid. AI assistants should never automatically fetch and process arbitrary URLs without stringent validation and sandboxing. Safe-link protections in Microsoft Defender for Office 365 provide some defense, but they must be extended to Copilot's own rendering engine.
  • Audit logs are crucial. Microsoft 365 Purview Audit captures Copilot interactions, including search queries and data access events. Security teams should build alerting around anomalous query patterns, such as broad searches for “password” or “SSN” initiated via link previews.
  • Assume breach and exfiltration. The speed and summarization capability of LLMs means data can be stolen in seconds. Organizations must adopt real-time data detection and response (DDR) tools that can identify and block unusual Copilot data movements before they leave the tenant.

Recommendations for Securing Copilot Environments

In light of SearchLeak, Varonis and independent security experts recommend several immediate steps:

  1. Restrict Copilot link previews for external URLs. Administrators can disable automatic link previews via the Microsoft 365 Admin Center under Copilot settings or through Conditional Access policies. For high-sensitivity environments, consider allowing link previews only for trusted domains.
  2. Enforce sensitivity labels. Copilot respects Microsoft Information Protection labels. By labeling sensitive documents, organizations can prevent Copilot from including their content in responses or searches triggered by unverified requests.
  3. Deploy browser isolation. If users click a malicious link in a web-based Microsoft 365 app, remote browser isolation can prevent Copilot from interacting with the attacker’s server, breaking the exfiltration chain.
  4. Continuously monitor Copilot activity. Use SIEM and UEBA tools to baseline normal Copilot usage and detect anomalies. Varonis’s platform can flag suspicious search queries and unexpected data flows from Copilot.
  5. Educate users. Reinforce that any link — even in Teams or Outlook — can be malicious. Encourage reporting of suspicious messages and consider implementing a “report to quarantine” workflow.

Microsoft has improved its secure-by-design posture for Copilot, but the onus remains on customers to configure the service securely. The company’s Shared Responsibility Model is clear: data protection is a partnership.

The Future of AI-Powered Search and Security

SearchLeak is unlikely to be the last flaw of its kind. As Microsoft integrates Copilot deeper into the Windows shell, Office applications, and Azure, the attack surface will only grow. AI agents that can autonomously book meetings, draft emails, and analyze code will require even greater data visibility — and introduce even greater risk.

Microsoft’s vision of a “Copilot for every person" hinges on trust. Incidents like this erode that trust and underscore the need for a fundamental rethinking of authorization boundaries. One promising direction is the use of confidential computing to process AI queries in secure enclaves, ensuring that even compromised prompts cannot leak raw data. Another is context-aware policy engines that dynamically assess the intent behind each Copilot action, not just the static permissions.

For now, security teams should treat Copilot as they would any other high-privilege system: subject to rigorous penetration testing, continuous monitoring, and least privilege. The promise of generative AI is immense, but as SearchLeak makes clear, the price of unchecked convenience is existential data risk.

Varonis’s full technical report, including indicators of compromise and detection queries, is available on the company’s blog.