At a glance: Parameter-to-Prompt-Injection (P2P) becomes a new attack surface when AI search applications process URL parameters as natural language instructions.
Researchers from Varonis Threat Labs demonstrated with SearchLeak how URL parameters in Microsoft Copilot Enterprise can be abused for data exfiltration. Microsoft classified the vulnerability as critical and patched it server-side.
SearchLeak combines three vulnerabilities in the Copilot Enterprise implementation to compel employees to click on specially crafted links. The attack exploits a fundamental design characteristic of many AI-powered web applications: they accept URL parameters like ?q=[query] not merely as simple search terms, but as natural language prompts that a large language model executes directly.
The attack radius is substantial. While Copilot Personal accesses only limited data, Copilot Enterprise can retrieve everything the user has access to — emails, meeting invitations, SharePoint documents, OneDrive files and all other indexed business content. Depending on the M365 environment configuration, the attack surface can extend even further.
The critical security issue lies in the concatenation of two techniques: First, attackers must compel the language model to exfiltrate sensitive data — a challenge solved through URL parameters. Second, they need mechanisms to channel this data out of the browser session. Varonis researchers used HTML tags like <img> elements, which the browser automatically requests from external servers. Although Microsoft had implemented a countermeasure that wraps responses in <code> blocks — it proved circumventable.
This attack pattern is not isolated. Varonis identified in parallel Reprompt, a similar vulnerability in Microsoft Copilot Personal. Other AI search engines are also affected: In October 2024, researchers from LayerX found a prompt injection in Perplexity’s Comet Browser via the same ?q= parameter; in July 2025, Tenable disclosed a gap in ChatGPT. Mark Vaitsman, head of the Security Research Team at Varonis, confirmed that several other language models are vulnerable to similar techniques, although some have more restrictive protective measures.
Source: www.csoonline.com · Published June 19, 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.