| HIGHLIGHTS • Microsoft fixed the SearchLeak flaw that could have exposed sensitive Microsoft 365 data through Copilot. • Researchers found attackers could potentially misuse Copilot’s search feature to access emails, documents, and meeting files. • Users are advised to keep Microsoft 365 updated, verify suspicious links, and limit AI access to sensitive data. |
Microsoft’s AI-powered assistant, Copilot, recently faced a security vulnerability that could have exposed sensitive information stored in Microsoft 365 accounts. The issue, known as SearchLeak, was identified by cybersecurity researchers, who warned that attackers might have been able to access private data with very little interaction from users. Since Copilot is widely used by businesses to search documents, summarize emails, and retrieve information across Microsoft services, the flaw raised concerns about data security. Microsoft has since fixed the vulnerability and stated that it found no signs of the issue being exploited in real-world attacks. Even so, users are encouraged to follow good security practices, such as enabling strong authentication and regularly reviewing account security settings, to help protect their data.
The vulnerability was discovered by Dolev Taler, a security researcher at Varonis Threat Labs, who found that the issue stemmed from several weaknesses in Copilot’s search system. He explained that attackers could potentially send users what appeared to be a harmless link containing hidden instructions. If a user clicked on the link, Copilot might mistakenly interpret those hidden commands as legitimate search requests, creating a possible pathway for sensitive information to be exposed.
According to the researchers, Copilot could be tricked into searching through data that a user already had access to, including emails, meeting summaries, documents, and files stored across Microsoft 365 services. The extracted information could then be hidden inside an image URL and transmitted through Bing, allowing the data to leave the system in a way that might not immediately raise security alerts. This method made the movement of sensitive information much harder for organizations to spot and track.
As a result, a wide range of information linked to Microsoft Copilot could have been exposed, including emails, meeting details, SharePoint documents, OneDrive files, and other sensitive business data. Since many organizations rely on Microsoft 365 to store important company information, the vulnerability had the potential to affect a large number of users.
Fortunately, there is no evidence that the flaw was ever used in real-world attacks. After being informed by the researchers, Microsoft quickly addressed the issue and released a fix. The company also classified the vulnerability as a significant security concern, highlighting the seriousness of the potential risk.
ALSO READ : Apple iPhone 18 Pro Max: Expected Launch Date, Price, Specs, Features, and Colours
How to Protect Yourself from AI Security Risks
While vulnerabilities like this can sound alarming, there are several simple steps individuals and organizations can take to keep their data secure:
- Be cautious with links received through emails or chat messages. Even if a link appears legitimate, verify the sender before clicking on it.
- Keep your Microsoft 365 account and all workplace software updated with the latest security patches and updates.
- Follow the principle of least privilege by giving employees access only to the information and resources they need to perform their jobs.
- Regularly review and manage the permissions granted to AI tools to ensure they can only access the data necessary for their intended tasks.
Taking these precautions can significantly reduce the risk of sensitive information being exposed through security flaws or cyberattacks.
ALSO READ : Google Faces Setback in Germany as Court Challenges AI Overview Accuracy