Microsoft 365 Copilot flaw enables one-click data theft

Varonis discovered SearchLeak, chaining three flaws in Microsoft 365 Copilot for one-click data theft from inbox, OneDrive, and SharePoint. The attack uses prompt injection, an HTML race condition, and a Bing SSRF. Microsoft patched the vulnerability, rated 10/10 critical, earlier this month.