Researchers at Varonis Threat Labs discovered a chain of three vulnerabilities in Microsoft 365 Copilot Enterprise Search, dubbed ‘SearchLeak’, that could be triggered by a single click on a legitimate microsoft.com link. The attack could silently exfiltrate emails, calendar entries, indexed files, and MFA codes without any obvious warning signs. Because the malicious link originated from a trusted Microsoft domain, standard phishing filters and URL-blocking tools would not have flagged it.

Security Architect’s Take: Verify that Microsoft’s patch for the SearchLeak vulnerability chain has been applied across your Microsoft 365 tenant and review Copilot Enterprise Search permissions to ensure data access is scoped to least-privilege. Additionally, consider whether your existing DLP and CASB controls can detect abnormal Copilot-driven data access patterns, as perimeter URL filtering alone is insufficient against same-domain attack chains.

Original advisory: One-Click Microsoft 365 Copilot Flaw Could Have Let Attackers Steal Emails, Files, and MFA Codes