Bottom line: Three chained bugs in Microsoft 365 Copilot allowed attackers to exfiltrate corporate data via a legitimate microsoft.com link, as traditional anti-phishing filters did not block legitimate sources.
Researchers at Varonis Threat Labs discovered a chained vulnerability in Microsoft 365 Copilot Enterprise Search that would have enabled attackers to exfiltrate emails, calendar entries, and indexed files through a single click on a legitimate Microsoft link.
The attack scenario, which Varonis Threat Labs documented under the name SearchLeak, combined three vulnerabilities into a one-click exfiltration mechanism. An attacker could create a manipulated link to a genuine microsoft.com domain – not a phishing domain. This enabled the attack to bypass traditional URL filters and anti-phishing tools, since these typically do not block legitimate Microsoft domains.
For a CISO, this scenario represents a governance risk on multiple levels: First, it demonstrates a compromised trust chain – the attacker exploits the legitimacy of the provider itself to gain access. Second, data exfiltration was possible without any additional authentication step once the user clicked the link. Third, traditional security measures had no way to detect this attack variant as long as the domain was genuine.
Varonis has reported the vulnerability to Microsoft. It is recommended to verify the status of remediation and in parallel evaluate how corporate data is exposed in Copilot Enterprise Search. Additionally, it should be checked whether access control policies exist at the Copilot level and whether activity logs record suspicious data access.
Source: thehackernews.com · Published 15 June 2026
Lumi AI News — AI-assisted curation according to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.