Researchers Turn Microsoft 365 Copilot Into Potent Data Theft Tool With Single Click
copilot microsoft
| Source: Mastodon | Original article
Researchers exploit M365 Copilot vulnerability for data theft. A security flaw turns the tool into a data exfiltration weapon.
Varonis Threat Labs has discovered a critical vulnerability chain in Microsoft 365 Copilot Enterprise, dubbed SearchLeak, which allows attackers to steal sensitive data with a single click. This vulnerability combines a new class of AI-specific vulnerability, Parameter-to-Prompt Injection, with two classic web security bugs, enabling attackers to exfiltrate data such as MFA codes, email messages, and private organizational files.
This finding matters because it highlights the emerging risks associated with AI-powered tools, particularly in enterprise environments where sensitive data is abundant. The fact that SearchLeak can be exploited with a single click makes it a significant concern for organizations relying on Microsoft 365 Copilot. As we previously reported, similar vulnerabilities like Reprompt have been discovered in Copilot Personal, underscoring the need for increased vigilance in securing AI-driven systems.
As the situation unfolds, it will be essential to watch for Microsoft's response to the SearchLeak vulnerability, including any patches or mitigations they may release to address the issue. Additionally, organizations should be cautious when implementing AI-powered tools, ensuring they have robust security measures in place to prevent such vulnerabilities from being exploited.
Sources
Back to AIPULSEN