Microsoft 365 Copilot Enterprise Vulnerability Chain Enables One-Click Data Theft Researchers have uncovered a critical vulnerability chain, dubbed SearchLeak, in Microsoft 365 Copilot Enterprise that allows attackers to exfiltrate sensitive corporate data including MFA codes, emails, calendar details, and confidential files with a single click on a link from a legitimate Microsoft domain. Unlike a standalone flaw, SearchLeak is a chained exploit that weaponizes Microsoft 365 Copilot’s Enterprise Search functionality as a silent data exfiltration tool. While individual vulnerabilities in the chain may be manageable, their combined impact creates a one-click attack vector capable of compromising vast amounts of data. The exploit underscores a broader risk: AI assistants like Copilot amplify existing access permissions, meaning overly permissive identities can be exploited at scale. The attack requires no user interaction beyond clicking a seemingly trustworthy link, making it particularly dangerous. Once triggered, sensitive data can be stolen before the victim even realizes an incident has occurred. Security experts warn that this is not a traditional bug but a systemic issue dubbed an Aethernox where seemingly secure layers collapse under a coordinated exploit. The discovery highlights the urgent need for stricter identity and access controls, as AI-driven tools expand the attack surface for enterprises. Microsoft has not yet publicly detailed remediation steps, but organizations using Copilot Enterprise are advised to review permissions and monitoring protocols.

Microsoft 365 Copilot Bug Exposed Confidential Emails to AI Summarization A coding error in Microsoft 365 Copilot allowed its AI chat feature to process and summarize sensitive emails despite existing Data Loss Prevention (DLP) policies designed to block such access. The issue, tracked as CW1226324, affected the "work tab" in Copilot Chat, which assists users with summarizing content, drafting responses, and analyzing data across Outlook, Word, Excel, PowerPoint, and OneNote. Key Details: - Who: Microsoft 365 Copilot users, particularly enterprise customers. - What: A bug caused Copilot to read and summarize emails in Sent Items and Drafts folders, including those labeled as confidential or sensitive. - When: The issue emerged on January 21 and persisted until Microsoft began deploying a fix in early February. - Where: Impacted Outlook desktop users with Copilot enabled. - Why: The bug bypassed DLP policies, allowing AI processing of restricted content despite security labels. Impact: While Microsoft stated that no unauthorized access occurred users could only see content they were already permitted to view the incident raised concerns about AI integration with enterprise security. Potential risks included: - Legal or financial discussions being summarized outside intended controls. - HR communications exposed to automated analysis. - Undermined trust in AI-driven productivity tools. Microsoft’s Response: The company confirmed the issue, stating that a configuration update was rolled out globally to exclude protected content from Copilot access. However, Microsoft has not disclosed the number of affected organizations or a final remediation timeline. Broader Implications: The incident underscores the challenges of balancing AI utility with security. As AI assistants gain deeper access to sensitive data, even minor coding errors can create unexpected exposure, highlighting the need for rapid policy adaptation and transparency in AI deployments.

Microsoft Copilot Vulnerability Exposed: "Reprompt" Attack Bypasses Safety Mechanisms Researchers uncovered a method to exploit Microsoft Copilot’s URL parameter handling, enabling attackers to hijack user sessions and steal data without detection. Dubbed Reprompt, the attack leverages hidden malicious prompts embedded in seemingly legitimate Copilot links, which execute automatically upon loading requiring only a single click from the victim. Copilot, Microsoft’s AI assistant integrated into Windows, Edge, and consumer apps, connects to personal accounts, making it a prime target for session-based attacks. The vulnerability stemmed from Copilot’s auto-execution of prompts via the q URL parameter, allowing attackers to inject instructions into an authenticated session. Unlike traditional prompt injection attacks, Reprompt required no user input, plugins, or connectors, evading both user awareness and client-side monitoring tools. The attack’s simplicity lay in bypassing Copilot’s safeguards by instructing the AI to repeat actions twice. Once the initial prompt executed, attackers’ servers issued follow-up commands based on prior responses, creating an undetected chain of requests. This method obscured the attack’s true intent, making it difficult to trace. Microsoft patched the flaw in its January Patch Tuesday update, with no evidence of in-the-wild exploitation. However, the incident highlights persistent risks in AI assistants that process untrusted inputs such as URL parameters or external content without robust separation or filtering. While Copilot Personal lacked enterprise-grade protections, Microsoft 365 Copilot offers additional safeguards, including Purview auditing and data loss prevention (DLP) policies to block sensitive data exposure. The company is also testing policies allowing IT administrators to disable Copilot on managed devices, addressing concerns over unauthorized AI tool usage. The discovery underscores the ongoing challenges of securing AI-driven assistants against evolving exploitation techniques.