Varonis reveals SearchLeak vulnerability in Microsoft 365 Copilot

Varonis discovered a three-stage vulnerability chain named SearchLeak that exploits Microsoft 365 Copilot Enterprise Search to exfiltrate emails, 2FA codes, and business documents. The attack uses Parameter-to-Prompt Injection, HTML injection, and CSP bypass via Bing SSRF to access indexed content including SharePoint and OneDrive files. Microsoft's safety guardrails fail when all three stages are combined.