A Copilot Flaw Lets One Click Steal Inboxes, Files, and MFA Codes
Varonis chained three bugs into SearchLeak, a one-click Copilot attack that silently exfiltrates emails, files, and MFA codes.
"Bing becomes an unwitting exfiltration proxy"
BleepingComputer
Microsoft bolted Copilot into enterprise search, and researchers at Varonis turned the bolt into a back door, chaining three flaws into an attack they call SearchLeak. The chain allows an attacker to steal sensitive data, MFA codes, email messages, meeting details, and private organizational files, with a single click. The whole heist rides a real microsoft.com link, so because the link pointed to a real microsoft.com domain, traditional anti-phishing and URL filtering tools were unlikely to flag it, and the victim sees nothing but Copilot thinking. Microsoft patched the hole and rated it critical, which is corporate for βthe helpful assistant was also the burglar.β See BleepingComputer on the SearchLeak attack.
Source: BleepingComputer · Bill Toulas
More from Enshittification
A Grief Bot Made Mourning Free, Then Charged the Bereaved to Skip Its Ads
Free to grieve, pay to skip the ad: the companion app speedran enshittification.
Microsoft Bolted AI Onto Everything, Then Sheepishly Ripped It Out
Users called it Microslop until Microsoft sheepishly yanked Copilot back out.