The critical, three-stage attack is now patched, but it's part of a new group of AI prompt-injection issues that use hidden URLs and other variables.
June 15, 2026
A novel Microsoft Copilot attack that researchers dubbed "SearchLeak" would have enabled an attacker to silently exfiltrate user files, including emails, meeting notes, OneDrive files, SharePoint documents, and other business files the user has access to.
Varonis Threat Labs today detailed the three-stage vulnerability, which works as a relatively unknown subset of indirect prompt-injection attacks called parameter-to-prompt Injection (P2P), which needs to be on defender radar screens.
The attack works like this: the threat actor sends the victim a Copilot link through any channel, such as email or Slack. The link itself opens Microsoft 365 Copilot Search, and is structured so that whatever prompt is behind the "q" parameter, the search accepts (structured as " https://m365.cloud.microsoft/search/?auth=2&origindomain=microsoft365&q=<PROMPT>").
