A newly disclosed vulnerability chain in Microsoft 365 Copilot Enterprise gave attackers the ability to siphon sensitive corporate data — including emails, OneDrive files, and SharePoint documents — by simply tricking a user into clicking a single URL.
The attack, dubbed "SearchLeak," was reported by BleepingComputer and represents a significant escalation in how adversaries can exploit AI-powered productivity tools. Rather than relying on traditional phishing or malware delivery, the technique weaponises the deep data access that Copilot already possesses by design, turning a feature meant to boost productivity into a vector for one-click data exfiltration.
How the Attack Works
SearchLeak chains together multiple weaknesses in how Microsoft 365 Copilot Enterprise processes and retrieves information. The attack begins with a specially crafted URL that, when clicked by a target user, triggers Copilot to access data from the victim's mailbox, OneDrive storage, or SharePoint sites and relay it to an attacker-controlled destination — all within the context of a single interaction.
The critical insight is that Copilot operates with the same permissions as the user who triggers it. Because the assistant is designed to search across an organisation's Microsoft 365 environment, a successful exploit effectively grants the attacker access to whatever that particular user can see — without requiring stolen credentials or a compromised account in the traditional sense.
Why AI Assistants Expand the Attack Surface
The SearchLeak chain illustrates a fundamental challenge in securing AI copilots embedded within enterprise software. These tools are built to have broad, privileged access to organisational data so they can answer natural-language queries, summarise documents, and draft communications. That breadth of access, however, becomes a liability if the assistant itself can be manipulated.
Traditional security controls — endpoint detection, email filtering, data loss prevention — are typically designed to catch malicious files, suspicious network traffic, or anomalous user behaviour. An attack that piggybacks on a legitimate, trusted AI assistant's own data retrieval processes may not trigger any of these alarms, making it particularly difficult to detect with existing tooling.
Microsoft's Response
According to BleepingComputer, Microsoft has been notified of the vulnerability and has taken steps to address the issue. The company has not publicly disclosed the full technical details of the flaw or a specific timeline for a comprehensive fix, but the report indicates that mitigations have been applied to affected Copilot Enterprise environments.
Security teams running Microsoft 365 Copilot Enterprise should verify that their instances have received the latest updates and review Copilot's access policies to ensure the principle of least privilege is enforced.
Broader Implications for Enterprise Security
The discovery carries several takeaways for IT and security professionals:
- AI assistants must be treated as high-privilege components in organisational threat models. Their legitimate access to sensitive data makes them high-value targets for exploitation.
- One-click attack chains reduce the barrier to entry for adversaries. Requiring only a URL click — rather than credential theft or malware installation — makes social engineering far more effective.
- Visibility into AI assistant behaviour is essential. Organisations need logging and monitoring that specifically covers what data their AI tools are accessing and where that data flows.
As enterprises race to embed AI copilots into daily workflows, SearchLeak serves as a reminder that convenience and capability come with a proportional security cost. The tools that know the most about an organisation's data are, by extension, the most dangerous tools to compromise.
一個新近披露的 Microsoft 365 Copilot Enterprise 漏洞鏈,讓攻擊者只需誘騙用戶點擊一個 URL,即可竊取敏感的企業資料——包括電郵、OneDrive 文件及 SharePoint 文件。
這項名為「SearchLeak」的攻擊由 BleepingComputer 報道,代表了攻擊者如何利用 AI 生產力工具的一次重大升級。該技術並非依賴傳統的網絡釣魚或惡意軟件傳遞,而是將 Copilot 因設計而擁有的深層數據存取權限武器化,將一個旨在提高生產力的功能,轉變為一鍵式資料竊取的媒介。
攻擊原理
SearchLeak 串聯了 Microsoft 365 Copilot Enterprise 在處理及檢索資訊時的多個弱點。攻擊始於一個精心構造的 URL,當目標用戶點擊後,便會觸發 Copilot 從受害者的郵箱、OneDrive 儲存空間或 SharePoint 網站存取資料,並將其傳送至攻擊者控制的目的地——所有這些均在單一互動的背景下完成。
關鍵在於,Copilot 是以觸發它的用戶的相同權限運作的。由於該助手的設計目的是搜索整個組織的 Microsoft 365 環境,一次成功的利用實際上便賦予了攻擊者該使用者所能查看的一切存取權限——無需傳統意義上竊取的憑證或已被入侵的帳戶。
為何 AI 助手擴大了攻擊面
SearchLeak 鏈說明了在企業軟件內嵌入 AI 助手時,保障安全所面臨的根本挑戰。這些工具被賦予了廣泛且特權性的組織數據存取權限,以便回答自然語言查詢、總結文件及起草通訊。然而,如果助手本身可被操縱,這種廣泛的存取權限就成為了一個安全隱患。
傳統的安全控制措施——如端點偵測、電郵過濾、數據防洩漏——通常旨在捕捉惡意文件、可疑網絡流量或異常的用戶行為。一種寄生於合法、受信任的 AI 助手自身數據檢索過程的攻擊,可能不會觸發任何此類警報,這使得使用現有工具特別難以偵測。
微軟的回應
根據 BleepingComputer 的報導,微軟已獲悉該漏洞並已採取措施解決問題。公司尚未公開披露該缺陷的完整技術細節或全面修復的具體時間表,但報告指出,已對受影響的 Copilot Enterprise 環境應用緩解措施。
運行 Microsoft 365 Copilot Enterprise 的安全團隊應驗證其實例是否已接收最新更新,並審查 Copilot 的存取策略,以確保落實最小權限原則。
對企業安全的更廣泛啟示
這一發現為 IT 和安全專業人員帶來了幾點啟示:
- AI 助手必須被視為組織威脅模型中的高權限組件。它們對敏感數據的合法存取權限,使其成為極具價值的攻擊目標。
- 一鍵式攻擊鏈降低了攻擊者的進入門檻。只需點擊一個 URL——而非竊取憑證或安裝惡意軟件——使得社交工程攻擊更為有效。
- 對 AI 助手行為的可視性至關重要。組織需要能夠專門記錄和監控其 AI 工具存取了哪些數據以及這些數據流向何處的日誌和監控機制。
隨著企業競相將 AI 助手嵌入日常工作流程,SearchLeak 事件提醒我們,便利性與能力是伴隨著相應的安全成本而來的。最了解組織數據的工具,一旦被入侵,也就是最危險的工具。