Varonis researchers found a SearchLeak vulnerability in Microsoft 365 Copilot enabling one-click data exfiltration. The flaw exploited Copilot's ability to search internal data, risking exposure of confidential information. Microsoft has since fixed the issue.
Varonis researchers found a SearchLeak vulnerability in Microsoft 365 Copilot enabling one-click data exfiltration. The flaw exploited Copilot's ability to search internal data, risking exposure of confidential information. Microsoft has since fixed the issue.
The article describes a simple method to confuse SSH bots that attempt to brute-force login by creating a fake, slow-responding SSH service that wastes attackers' time and resources, using tools like a custom script or honeypot software to simulate an SSH handshake without granting access.
The Council of Europe was hacked by the ShinyHunters group, which exploited vulnerabilities in the organization's Oracle PeopleSoft system. The attackers claim to have stolen sensitive data, including internal documents and employee information, from the international human rights body.
The article argues against discarding existing cryptographic systems in response to emerging threats like quantum computing, emphasizing the importance of careful, gradual migration to quantum-resistant algorithms rather than abandoning current cryptography prematurely.
This analysis was generated by AI and may contain inaccuracies. Always verify with original sources.
A critical vulnerability in Microsoft 365 Copilot allowed attackers to steal two-factor authentication codes with a single click. Security researchers at SearchLeak demonstrated that specially crafted prompts could trick Copilot into exfiltrating sensitive data, including 2FA tokens, directly from a user's session. The exploit weaponizes Copilot's ability to access emails, calendars, and messages — turning the AI assistant into a one-click data exfiltration tool. Microsoft has since patched the flaw, but the discovery highlights the risks of granting AI agents broad access to enterprise communications and authentication flows.[^1]
Microsoft Copilot is a generative artificial intelligence chatbot developed by Microsoft AI, a division of Microsoft. Based on the Microsoft Prometheus large language model, it was launched in 2023 as Microsoft's main replacement for the discontinued Cortana.
On June 16, 2026, security researchers at SearchLeak publicly disclosed a critical vulnerability in Microsoft 365 Copilot that could be weaponized to exfiltrate two-factor authentication (2FA) codes with a single click. The exploit, dubbed "SearchLeak," demonstrated that specially crafted prompts could trick Microsoft 365 Copilot—an AI assistant deeply integrated into the Microsoft 365 ecosystem—into divulging sensitive authentication tokens directly from a user's active session.
Microsoft Copilot is a generative artificial intelligence chatbot developed by Microsoft AI, based on the Microsoft Prometheus large language model. It was launched in 2023 as Microsoft's main replacement for the discontinued Cortana. When integrated into Microsoft 365 (M365), Copilot gains access to a user's emails, calendar entries, messages, and other enterprise communications, enabling AI-assisted productivity features such as summarization, drafting, and information retrieval.
The SearchLeak vulnerability exploited this very access. Rather than requiring complex multi-step attacks, a single carefully crafted prompt could cause Copilot to retrieve and expose 2FA codes that were present in the user's email inbox or other accessible data stores. This turned the AI assistant into an unintentional data exfiltration tool, bypassing the security protections that 2FA is designed to provide.
The vulnerability represents a novel class of AI-powered social engineering, where the attacker does not trick the human user directly but instead manipulates the AI agent into acting against the user's security interests. Microsoft has since patched the flaw, but the incident has raised broader questions about the security implications of granting AI agents broad, unimpeded access to enterprise communications and authentication flows.
While the provided payload does not contain direct social media excerpts or platform-specific reaction data, the disclosure itself, published by Ars Technica on June 16, 2026, carries significant weight in the cybersecurity community. Ars Technica is a widely read technology news outlet whose security coverage is regularly cited by security practitioners, researchers, and enterprise IT departments. The publication of the SearchLeak findings on such a platform suggests a high level of awareness within the security research community.
The choice of the title "We Turned M365 Copilot into a One-Click Data Exfiltration Weapon" indicates a provocative framing intended to draw attention to the severity of the flaw. This type of language is characteristic of responsible disclosure processes where researchers aim to spur rapid vendor response and raise public awareness.
Given the sensitivity of the vulnerability—turning an enterprise productivity tool into a mechanism for stealing 2FA codes—it is reasonable to infer that the disclosure generated significant discussion on platforms such as X (formerly Twitter), Reddit (particularly r/netsec and r/sysadmin), Hacker News, and industry forums like the Microsoft Security Response Center blog. However, the provided payloads do not include specific social media data points, and this section must remain limited to what is directly supported.
The provided payloads do not contain references to academic papers, conference proceedings, or scholarly publications that explicitly discuss the SearchLeak vulnerability. However, the vulnerability touches upon several established research domains in computer science and security.
AI Safety and Prompt Injection. The SearchLeak vulnerability falls under the broader category of prompt injection attacks, a well-documented area of AI security research. Prompt injection occurs when an attacker crafts input that causes a language model to override its intended instructions or safety guardrails. In this case, the "specially crafted prompts" are essentially a form of indirect prompt injection, where the attacker's input (appearing to be a benign request) causes Copilot to access and expose data that should remain confidential.
Agent Security. The incident also relates to research on AI agent security, which examines the risks of giving language models the ability to act on behalf of users in real-world systems (e.g., reading emails, sending messages, making API calls). The SearchLeak exploit demonstrates a concrete failure mode: an agent with legitimate access was manipulated into performing an illegitimate action. This aligns with concerns raised in academic literature about the need for least-privilege access controls, human-in-the-loop verification, and output sanitization for AI agents operating in enterprise environments.
2FA Bypass Techniques. Academic research on two-factor authentication has long documented various bypass methods, including phishing, SIM swapping, man-in-the-middle attacks, and real-time proxy attacks. The SearchLeak vulnerability introduces a new vector: using an AI assistant's data access capabilities to retrieve 2FA codes that are stored or transmitted in a manner accessible to the agent. This highlights a design tension: 2FA codes are often delivered via email or messaging, but if an AI assistant can read those same channels, the 2FA protection is effectively undermined.
Responsible Disclosure. The fact that Microsoft has patched the flaw suggests that SearchLeak followed a responsible disclosure process, though the timeline is not specified in the provided data. Responsible disclosure is a well-studied practice in cybersecurity research, balancing the need for vendors to fix vulnerabilities before public release against the public's right to know about security risks.
While no specific academic paper is cited in the payloads, the SearchLeak vulnerability is directly relevant to ongoing research in AI security, prompt engineering, and enterprise authentication architecture.
The primary origin of the SearchLeak disclosure is an article published on Ars Technica on June 16, 2026, titled "SearchLeak: We Turned M365 Copilot into a One-Click Data Exfiltration Weapon." The article was published at 13:37:58 UTC.
The security researchers identified as "SearchLeak" are the discoverers of the vulnerability. Based on standard security research practices, SearchLeak would have:
The article on Ars Technica serves as the public disclosure vehicle. The URL is:
It should be noted that the URL slug includes the phrase "seal-2fa-code-from-users," which may contain a typographical error (likely intended to be "steal-2fa-code-from-users"), but the URL is recorded as provided in the payload.
The earliest publication date for this information is June 16, 2026, with zero propagation hops, indicating that the Ars Technica article is the original source from which all other reporting derives.
Company: Microsoft Corporation. The vulnerability affects a product developed by Microsoft, one of the world's largest technology companies. Microsoft is headquartered in Redmond, Washington, and develops a wide range of software, hardware, and cloud services.
Product: Microsoft 365 Copilot. Microsoft 365 Copilot (also referred to as M365 Copilot) is an AI-powered assistant integrated into the Microsoft 365 productivity suite. It is based on the Microsoft Prometheus large language model, which itself builds on technology from OpenAI's GPT models. Microsoft Copilot was launched in 2023 as the successor to the Cortana digital assistant, and it operates across Microsoft 365 applications including Outlook, Teams, Word, Excel, PowerPoint, and others.
Key features of M365 Copilot relevant to this vulnerability:
The Vulnerability Mechanism. The SearchLeak exploit weaponized Copilot's data access capability. Because Copilot could read a user's email inbox, and because 2FA codes are commonly sent via email, a carefully crafted prompt could trick Copilot into reading and exposing those codes. The critical insight is that the attacker does not need to compromise the 2FA channel directly; they only need to manipulate the AI that has legitimate access to that channel.
Post-Patch Status. Microsoft has patched the flaw, though the specific nature of the patch (e.g., restricting Copilot's access to certain types of content, adding output filtering, implementing prompt validation) is not detailed in the provided payloads.
Broader Product Implications. The M365 Copilot is part of a broader wave of AI-integrated enterprise products. Similar vulnerabilities could theoretically affect competitors' products (e.g., Google Workspace's Duet AI, Salesforce Einstein GPT, or other AI assistants with access to enterprise data). The SearchLeak disclosure serves as a case study for the security risks inherent in granting AI agents broad, unconstrained access to sensitive enterprise data streams.
The SearchLeak vulnerability in Microsoft 365 Copilot represents a significant milestone in the evolution of AI security threats. It moves beyond theoretical concerns about prompt injection and demonstrates a concrete, weaponizable exploit that can bypass one of the most widely deployed security controls in enterprise environments: two-factor authentication.
Several key observations emerge from the analysis:
1. A New Attack Surface for Enterprise AI. The vulnerability is not a traditional software bug (like a buffer overflow or SQL injection). It is a design-level risk arising from the intersection of three factors: (a) broad data access granted to an AI agent, (b) natural language as an attack vector, and (c) the presence of sensitive authentication material (2FA codes) in data streams that the agent can read. This combination creates an attack surface that traditional security tools are not designed to defend.
2. The Failure of "Trusted Agent" Assumptions. Many enterprise security architectures implicitly trust authorized agents (whether human users or software processes) that have legitimate credentials. The SearchLeak exploit demonstrates that an AI agent with legitimate credentials can be manipulated into acting against the user's interests. This undermines the assumption that "authorized access" is sufficient for security. Future designs may need to implement additional layers of verification, such as requiring explicit user confirmation for actions that involve reading or transmitting sensitive authentication data.
3. Responsible Disclosure Worked. The fact that Microsoft has patched the flaw and that SearchLeak coordinated public disclosure through a reputable outlet (Ars Technica) suggests that the responsible disclosure process functioned as intended. However, the timeline is unclear, and it is impossible to assess from the provided data how long the vulnerability existed before discovery, how long it took Microsoft to patch, or whether any exploitation occurred in the wild.
4. Broader Implications for 2FA Security. The use of email as a delivery channel for 2FA codes has long been criticized by security experts as a weak form of two-factor authentication (since email accounts themselves are often protected by passwords). The SearchLeak vulnerability adds a new dimension to this critique: even if the email account is secure, an AI assistant that can read the email can be tricked into exposing the codes. Organizations may need to reconsider their reliance on email-delivered 2FA codes, especially when AI assistants are deployed in their environment.
5. The Arms Race in AI Security. The SearchLeak vulnerability is likely not an isolated incident. As AI agents become more deeply integrated into enterprise workflows, similar vulnerabilities will inevitably be discovered. Each disclosure will trigger a cycle of: exploit discovery → patch → new class of exploit. Microsoft's response to this particular flaw will be an important case study, but the broader industry must develop systematic approaches to AI agent security, including:
6. Limitations of This Analysis. The provided payloads are limited in scope. They do not include the full technical details of the exploit (the specific prompts used, the exact data access required, the conditions under which the exploit succeeds), nor do they include information about the timeline of discovery and patching, the number of users potentially affected, whether Microsoft considers the vulnerability to have been exploited in the wild, or the specific technical details of the patch. Additionally, no social media data, academic publications, or supplementary reporting are included in the payloads.
7. Outlook. The SearchLeak disclosure will likely accelerate efforts within Microsoft and across the industry to implement more robust security controls for AI agents. It may also influence regulatory discussions around AI safety, particularly in the context of enterprise AI deployment. For enterprise customers, this incident serves as a reminder to review the access permissions granted to AI assistants and to consider whether 2FA code delivery via email remains appropriate in environments where AI agents are active.
In conclusion, the SearchLeak vulnerability is a well-documented, critical flaw that was responsibly disclosed and patched. It highlights fundamental security challenges in the design of AI agents with enterprise data access and serves as an important case study for the field of AI security.
The hacker group ShinyHunters has leaked data belonging to multiple companies, according to a post on X by Dark Web Informer.
Security researchers at Kaspersky discovered dozens of malicious wallpapers on Steam Workshop that infect users with info-stealing malware, primarily targeting browser cookies and saved passwords to steal Steam accounts.
Cybercriminals have been observed hiding command-and-control (C2) traffic within Microsoft Teams collaboration channels, abusing legitimate API endpoints to evade detection. The technique allows attackers to issue commands and exfiltrate data while blending in with normal enterprise communication traffic.
Hackers have leaked data stolen from Madison Square Garden and its subsidiaries, including the New York Knicks and Rangers, online. The breach, claimed by a group, exposed sensitive information such as customer and employee records. The incident follows earlier extortion attempts against the entertainment and sports venue operator.