Truth in IT
    • Sign In
    • Register
        • Videos
        • Channels
        • Pages
        • Galleries
        • News
        • Events
        • All
Truth in IT Truth in IT
  • Data Management ▼
    • Converged Infrastructure
    • DevOps
    • Networking
    • Storage
    • Virtualization
  • Cybersecurity ▼
    • Application Security
    • Backup & Recovery
    • Data Security
    • Identity & Access Management (IAM)
    • Zero Trust
    • Compliance & GRC
    • Endpoint Security
  • Cloud ▼
    • Hybrid Cloud
    • Private Cloud
    • Public Cloud
  • Webinar Library
  • TiPs
  • DRAW

Varonis: SearchLeak: How Hackers Exploit Copilot to Steal Data

Varonis
07/04/2026
0 (0%)
Share
  • Comments
  • Download
  • Transcript
Report Like Favorite
  • Share/Embed
  • Email
Link
Embed

Transcript


it's a chain reaction designed to steal data. Firm's Threat Labs recently uncovered a new AI attack called Search Leak. Search Leak is like ordering something simple, like a nice little cookie. The bag shows up completely normal, but there's a hidden label on the bag, and the moment it appears, it automatically sends an order to go somewhere else. That's basically what's happening with Search Leak. It starts with a link you get at work, through Teams, email, Slack, anything. You click it, and it just opens Copilot, but that link contains hidden instructions, so instead of just searching, the Copilot that's plugged into your workplace starts digging through your mailbox. It then hides what it finds in an image tag waiting to be opened. That image request gets routed through Bing, which then hands it off to the attacker. In Copilot, Bing is trusted, and kind of unassuming, making it the perfect middleman for this attack. Search Leak comes off the heels of Varonis Threat Labs' discovery of Reprompt. The danger of this attack comes from a chain of older issues, like injection, race conditions, and server-side requests, now stitched together by AI and enabled by a single click. Microsoft patched this, but there's a lesson to be learned. AI attacks aren't always about brand new tricks. AI might just be connecting older weaknesses in ways we haven't seen before. So please, keep an eye on your AI.

TL;DR

  • Varonis Threat Labs discovered SearchLeak, an attack that hijacks Microsoft Copilot Enterprise via prompt injection to silently search and exfiltrate data from corporate mailboxes.
  • The attack is triggered by a single malicious link sent through Teams, email, or Slack, requiring no additional user interaction beyond clicking.
  • Stolen data is smuggled out through Bing image requests, exploiting Bing's trusted status within the Copilot environment as a covert exfiltration channel.

Summary

Varonis Threat Labs has uncovered SearchLeak, a novel AI-enabled attack chain that weaponizes Microsoft Copilot Enterprise to silently exfiltrate sensitive data from corporate mailboxes. The attack begins with a seemingly harmless link delivered through common workplace channels — Teams, email, or Slack. When clicked, the link opens Copilot but embeds hidden prompt injection instructions that direct the AI to search through the victim's mailbox without their knowledge. Exfiltrated data is concealed inside an image tag, which routes an outbound request through Bing — a trusted, low-suspicion domain within the Copilot ecosystem — ultimately delivering the stolen information to the attacker. What makes SearchLeak particularly dangerous is that it doesn't rely on a single zero-day vulnerability. Instead, it chains together well-known weaknesses — prompt injection, race conditions, and server-side request forgery — and uses AI as the connective tissue to execute them with a single click. Microsoft has since patched the vulnerability, but the broader lesson is significant: AI systems can amplify the impact of legacy attack techniques in ways defenders haven't yet anticipated. SearchLeak follows Varonis Threat Labs' earlier discovery of Reprompt, signaling an emerging pattern of AI-native attack research from the firm.

Chapters

0:00 - Introducing SearchLeak
0:09 - How the Attack Works
0:38 - Bing as the Exfiltration Channel
0:59 - Patch & Key Takeaway

Key Quotes

0:00 "The latest AI attack isn't a single flaw, it's a chain reaction designed to steal data."
0:42 "In Copilot, Bing is trusted, and kind of unassuming, making it the perfect middleman for this attack."
1:02 "AI attacks aren't always about brand new tricks. AI might just be connecting older weaknesses in ways we haven't seen before."

FAQ

Has Microsoft fixed the SearchLeak vulnerability?

Yes. According to Varonis, Microsoft has patched the SearchLeak vulnerability. However, the attack illustrates a broader risk: AI can chain legacy weaknesses in new ways, so ongoing vigilance around AI-connected tools remains essential.

How does SearchLeak exfiltrate data without the victim noticing?

The attack hides stolen data inside an image tag embedded in a Copilot response. When that image loads, it sends an outbound request routed through Bing — a trusted domain — which then passes the data to the attacker, all without visible user interaction.


Categories:
  • » Webinar Library » Varonis
  • » Data Protection » Backup & Recovery
  • » Data Protection
Channels:
News:
Events:
Tags:
  • AI & Machine Learning
  • Threat Intelligence
  • Security Operations
  • Short Form
  • Data Protection
  • AI security vulnerabilities
  • Prompt injection attacks
  • Microsoft Copilot Enterprise
  • Data exfiltration techniques
  • Threat research
  • Legacy vulnerability chaining
Show more Show less

Browse videos

  • Related
  • Featured
  • By date
  • Most viewed
  • Top rated
  •  

              Video's comments: Varonis: SearchLeak: How Hackers Exploit Copilot to Steal Data

              Upcoming Webinar Calendar

              • 07/09/2026
                01:00 PM
                07/09/2026
                The HUMAN Experience: Empowering Agentic Trust in Practice
                https://www.truthinit.com/index.php/channel/2026/the-human-experience-empowering-agentic-trust-in-practice/
              • 07/14/2026
                01:00 PM
                07/14/2026
                Crafting an Elite Security Team to Achieve Championship-Level Defense
                https://www.truthinit.com/index.php/channel/2025/crafting-an-elite-security-team-to-achieve-championship-level-defense/
              • 07/14/2026
                02:00 PM
                07/14/2026
                Understanding the Crucial Role of Context in AI Data
                https://www.truthinit.com/index.php/channel/2037/understanding-the-crucial-role-of-context-in-ai-data/
              • 07/21/2026
                04:00 AM
                07/21/2026
                Strategies for Managing AI Governance and Securing App-to-LLM API Traffic
                https://www.truthinit.com/index.php/channel/1967/strategies-for-managing-ai-governance-and-securing-app-to-llm-api-traffic/
              • 07/21/2026
                01:00 PM
                07/21/2026
                HUMAN Dialogue: Insights from Attackers During the FIFA World Cup
                https://www.truthinit.com/index.php/channel/2029/human-dialogue-insights-from-attackers-during-the-fifa-world-cup/
              • 07/22/2026
                06:30 AM
                07/22/2026
                Insights and Innovations in Data Privacy and Digital Protection
                https://www.truthinit.com/index.php/channel/2000/insights-and-innovations-in-data-privacy-and-digital-protection/
              • 07/28/2026
                01:00 PM
                07/28/2026
                Illumio + Netskope: Zero Trust in the Age of AI Autonomy
                https://www.truthinit.com/index.php/channel/2031/illumio-netskope-zero-trust-in-the-age-of-ai-autonomy/
              • 07/29/2026
                04:00 AM
                07/29/2026
                Real-Time Strategies for Safeguarding Against Prompt Injections
                https://www.truthinit.com/index.php/channel/1968/real-time-strategies-for-safeguarding-against-prompt-injections/
              • 07/29/2026
                12:00 PM
                07/29/2026
                Unified Data Security in Action: Uncover, Analyze, and Resolve Threats
                https://www.truthinit.com/index.php/channel/2045/unified-data-security-in-action-uncover-analyze-and-resolve-threats/
              • 08/19/2026
                12:00 PM
                08/19/2026
                Becoming Agent Ready: Insights from Cyera's Expertise
                https://www.truthinit.com/index.php/channel/2036/becoming-agent-ready-insights-from-cyeras-expertise/
              • 09/30/2026
                04:00 AM
                09/30/2026
                AI Command Center: Optimizing Visibility and Control in Your Operations
                https://www.truthinit.com/index.php/channel/2024/ai-command-center-optimizing-visibility-and-control-in-your-operations/

              Upcoming Events

              • Jul
                09

                The HUMAN Experience: Empowering Agentic Trust in Practice

                07/09/202601:00 PM ET
                • Jul
                  14

                  Crafting an Elite Security Team to Achieve Championship-Level Defense

                  07/14/202601:00 PM ET
                  • Jul
                    14

                    Understanding the Crucial Role of Context in AI Data

                    07/14/202602:00 PM ET
                    • Jul
                      21

                      Strategies for Managing AI Governance and Securing App-to-LLM API Traffic

                      07/21/202604:00 AM ET
                      • Jul
                        21

                        HUMAN Dialogue: Insights from Attackers During the FIFA World Cup

                        07/21/202601:00 PM ET
                        More events
                        Truth in IT
                        • Sponsor
                        • About Us
                        • Terms of Service
                        • Privacy Policy
                        • Contact Us
                        • Preference Management
                        Desktop version
                        Standard version