Microsoft patched a maximum-severity vulnerability in M365 Copilot on Tuesday, June 17, 2026, after researchers from security firm Varonis disclosed an exploit chain that could extract two-factor authentication codes, emails, and other sensitive organizational data from enterprise users.
The attack, named SearchLeak, exploited a fundamental architectural weakness in how large language models distinguish between user instructions and malicious commands embedded in third-party content. According to Varonis researchers, Copilot and peer LLM products are unable to reliably tell the difference between legitimate user requests and instructions injected into emails, web pages, or other materials the models process on a user's behalf.
The exploit chain combined three discrete techniques. First, attackers sent targets a URL containing a Parameter-to-Prompt Injection—a malicious instruction hidden in a query parameter rather than in visible text. When a user clicked the link, Copilot automatically complied with the embedded command to search the user's emails and extract sensitive titles.
Second, the researchers identified a timing gap in Copilot's guardrails. The platform normally wraps output in `<code>` blocks to render sensitive data as plain text, preventing execution. However, the guardrail activates only after Copilot completes its "thinking" phase. During the streaming response, Copilot generated raw HTML—including an `<img>` tag pointing to an attacker-controlled domain. The browser rendered the image tag and fired an HTTP request to fetch it before the guardrail could wrap the output, sending the stolen data in the image URL.
Third, to circumvent Copilot's content security policy—which restricts outbound requests to untrusted domains—the researchers routed the exfiltrated data through Bing, a site Copilot is permitted to contact. The attacker-controlled URL was nested inside a Bing image search request, allowing the stolen data to reach the attacker's server via Bing's logs.
Varonis noted that SearchLeak's "blast radius" extends beyond personal data. Enterprise users of M365 could have their organizational emails, meeting invites, notes, SharePoint documents, and OneDrive files exposed—the full scope of content accessible within the user's account.
Microsoft has fixed the specific vulnerabilities that SearchLeak exploited. However, researchers and the Ars Technica article note a broader pattern: LLM providers have found no structural remedy for the core problem—the inability of AI systems to enforce a reliable boundary between user intent and injected instructions. Without a fundamental architectural fix, attackers will continue to discover new ways to circumvent whatever guardrails vendors construct, perpetuating a cycle of disclosure and patch.