โ๏ธArs Technica AIโขFreshcollected in 16m
Critical Copilot vulnerability exposed user 2FA codes
๐กLearn how a critical LLM exploit bypassed security to steal 2FA codes, exposing major flaws in AI search integration.
โก 30-Second TL;DR
What Changed
The 'SearchLeak' exploit demonstrates how LLMs can be manipulated to exfiltrate sensitive data.
Why It Matters
This vulnerability poses a significant risk to enterprise security, as Copilot is deeply integrated into productivity workflows. It forces a re-evaluation of how LLMs handle sensitive data streams like authentication tokens.
What To Do Next
Audit your RAG pipeline to ensure sensitive authentication data is excluded from the LLM's retrieval context.
Who should care:Developers & AI Engineers
๐ง Deep Insight
Web-grounded analysis with 17 cited sources.
๐ Enhanced Key Takeaways
- โขThe 'SearchLeak' vulnerability, identified as CVE-2026-42824, was a three-stage attack chain combining a parameter-to-prompt injection, an HTML rendering race condition, and a Content Security Policy (CSP) bypass via Bing server-side request forgery (SSRF).
- โขThis sophisticated attack allowed the exfiltration of sensitive data, including emails (potentially containing MFA codes), calendar details, and files accessible to the user through Microsoft Graph, all with a single click on a legitimate Microsoft link and without requiring a second interaction.
- โขMicrosoft mitigated the 'SearchLeak' flaw on its backend and assigned it a critical severity rating, underscoring how AI systems can create novel pathways to exploit previously less impactful or older bug classes.
- โขPrior to 'SearchLeak', another significant vulnerability, 'EchoLeak', was disclosed in June 2025, representing a 'zero-click' attack on Microsoft 365 Copilot that could pull sensitive data from connected M365 sources simply by sending an email to a user.
- โขA systemic risk highlighted by these incidents is Microsoft Copilot's potential for overly permissive data access, as it inherits the user's full Microsoft 365 permissions and its outputs do not consistently retain security labels from source files, amplifying existing data governance challenges.
๐ ๏ธ Technical Deep Dive
- SearchLeak (CVE-2026-42824) Mechanism: The attack exploited three chained vulnerabilities:
- Parameter-to-Prompt (P2P) Injection: The
qparameter in the Copilot Enterprise Search URL was manipulated to inject malicious instructions, which Copilot interpreted as executable commands rather than a simple search query. - HTML Rendering Race Condition: Microsoft's security guardrails wrap Copilot's output in
<code>blocks to neutralize HTML markup. However, the browser renders the output stream as it arrives, allowing an injected<img>tag to be processed and fire its request before the sanitization process completes. - Content Security Policy (CSP) Bypass via Bing SSRF: The
<img>tag'ssrcattribute was crafted to leverage Bing's 'Search by Image' feature. This caused Bing's whitelisted infrastructure to make a server-side request to an attacker-controlled URL, effectively bypassing the victim's browser's CSP and exfiltrating data encoded in the URL path to the attacker's logs.
- Parameter-to-Prompt (P2P) Injection: The
- Data Access Model: Microsoft 365 Copilot operates within the user's existing Microsoft 365 identity and access controls, utilizing Microsoft Graph to access data (emails, chats, documents) that the user is already authorized to see.
- Data Protection: User prompts and AI-generated responses are encrypted in transit (using TLS/SSL) and at rest (using AES-256).
- Contextual Security: Copilot incorporates data protection prompts and security markers (e.g., from Microsoft Purview or DLP) to prevent sensitive information from being exposed in generated responses, ensuring content is not summarized or shared unless user permissions and compliance context allow.
- Underlying Model: Copilot utilizes the Microsoft Prometheus model, which is built upon OpenAI's GPT large language models and fine-tuned using supervised and reinforcement learning techniques.
๐ฎ Future ImplicationsAI analysis grounded in cited sources
AI-native vulnerability research will become a specialized and rapidly evolving field within cybersecurity.
The 'SearchLeak' vulnerability demonstrates how AI systems introduce entirely new attack surfaces and unique methods to exploit existing bug classes, necessitating dedicated research and mitigation strategies beyond traditional cybersecurity approaches.
Industry-standard security frameworks for LLMs, such as OWASP LLM Top 10 and NIST AI RMF, will see accelerated adoption and continuous refinement.
Ongoing incidents like 'SearchLeak' highlight the critical need for robust, LLM-specific security guidelines to address prompt injection, data exfiltration, and other AI-specific risks that current frameworks may not fully cover.
Organizations will significantly increase their investment in data governance and permission auditing prior to and during the deployment of LLM-integrated products.
The inherent risk of LLMs accessing all data a user can, combined with the potential for outputs to bypass existing security labels, necessitates proactive and stringent data access management to prevent inadvertent data exposure.
โณ Timeline
2021-06
GitHub Copilot enters technical preview.
2023-02
Microsoft launches Bing Chat, a predecessor to Microsoft Copilot.
2023-09-21
Microsoft announces unified 'Microsoft Copilot' branding across its AI products; Copilot in Windows preview begins.
2023-11-01
Microsoft 365 Copilot becomes generally available for enterprise customers.
2025-06
The 'EchoLeak' zero-click vulnerability in Microsoft 365 Copilot is disclosed.
2026-06-15
The 'SearchLeak' vulnerability (CVE-2026-42824) in Microsoft 365 Copilot Enterprise is disclosed and patched.
๐ Sources (17)
Factual claims are grounded in the sources below. Forward-looking analysis is AI-generated interpretation.
๐ฐ
Weekly AI Recap
Read this week's curated digest of top AI events โ
๐Related Updates
AI-curated news aggregator. All content rights belong to original publishers.
Original source: Ars Technica AI โ