TL;DR
A vulnerability chain called SearchLeak in Microsoft 365 Copilot Enterprise enables attackers to exfiltrate sensitive data from a victim's mailbox, OneDrive, and SharePoint via a single specially crafted URL. This matters now because Copilot's deep integration with enterprise data means the attack bypasses traditional perimeter defenses and requires no user interaction beyond clicking a link.
What Happened
On Monday, June 15, 2026, security researchers disclosed SearchLeak, a critical vulnerability chain in Microsoft 365 Copilot Enterprise that turns the AI assistant into a one-click data theft tool. By sending a specially crafted URL, an attacker can silently extract emails, documents, and files from a target's Microsoft 365 environment without triggering standard security alerts.
Key Facts
- SearchLeak was discovered by researchers at Morphisec and disclosed on June 15, 2026, via BleepingComputer.
- The attack chain exploits Microsoft 365 Copilot's search and retrieval functions, which have access to a user's mailbox, OneDrive, and SharePoint.
- A single malicious URL can trigger data exfiltration without requiring the victim to enter credentials or approve permissions.
- The vulnerability affects Microsoft 365 Copilot Enterprise subscriptions, which are used by over 400,000 organizations globally.
- Microsoft has been notified and is working on a patch, but no fix was available at the time of disclosure.
- The attack works because Copilot indexes and caches user data across Exchange Online, OneDrive for Business, and SharePoint Online.
- SearchLeak is classified as a "chain" of vulnerabilities, meaning multiple weaknesses must be exploited in sequence for the attack to succeed.
Breaking It Down
The SearchLeak vulnerability chain represents a fundamental shift in how enterprise AI assistants can be weaponized. Unlike traditional phishing attacks that steal credentials or trick users into installing malware, SearchLeak exploits Copilot's legitimate data access capabilities. The AI assistant is designed to retrieve and summarize information from across a user's Microsoft 365 estate — exactly the functionality that attackers now hijack.
SearchLeak requires no authentication bypass or privilege escalation; it simply repurposes Copilot's own search and retrieval APIs to funnel data to an attacker-controlled endpoint.
The attack works in three stages. First, the victim clicks a specially crafted URL that appears legitimate — perhaps a shared document link or a meeting invitation. Second, Copilot processes the URL, which triggers a search query that the attacker has embedded with malicious parameters. Third, the search results, which include the victim's emails, files, and SharePoint documents, are silently redirected to the attacker's server through a cross-origin request that Microsoft 365 fails to properly validate.
What makes SearchLeak particularly dangerous is its stealth. Because the data exfiltration uses Copilot's own authenticated sessions and API calls, it appears to security monitoring tools as normal user activity. Traditional data loss prevention (DLP) systems, which look for unusual file downloads or email forwarding, do not flag AI-generated API calls as suspicious. The attack leaves no malware, no new processes, and no unusual network connections — only a single URL click in the victim's browser history.
The scale of exposure is staggering. Microsoft 365 Copilot launched in November 2023 and has been adopted by Fortune 500 companies, government agencies, and healthcare organizations. Each Copilot user typically has access to their entire Exchange Online mailbox, OneDrive for Business storage, and all SharePoint Online sites they have permissions for. A single successful SearchLeak attack could exfiltrate years of email correspondence, confidential documents, and proprietary business data.
What Comes Next
- Microsoft's emergency patch — Expect an out-of-band security update from Microsoft within 7–14 days of the June 15 disclosure. The fix will likely involve stricter validation of URL parameters passed to Copilot's search APIs and additional cross-origin request checks.
- CISA advisory — The Cybersecurity and Infrastructure Security Agency (CISA) is expected to issue an emergency directive for U.S. federal agencies using Microsoft 365 Copilot, likely mandating temporary disabling of the feature until a patch is applied.
- Enterprise mitigation steps — Organizations will need to implement conditional access policies that restrict Copilot usage to trusted networks and devices. Microsoft may also release guidance for disabling specific Copilot search capabilities as a temporary workaround.
- Proof-of-concept publication — Security researchers at Morphisec have stated they will release technical details of the SearchLeak chain once Microsoft patches the vulnerability, which will likely trigger a wave of exploitation attempts.
The Bigger Picture
SearchLeak is the latest example of a growing trend: AI supply chain attacks. As enterprise AI assistants gain access to increasingly sensitive data — emails, calendars, documents, meeting transcripts — they become attractive targets for attackers who can manipulate the AI's legitimate functions rather than breaking into systems directly. This mirrors the earlier evolution of API abuse, where attackers exploited legitimate API endpoints for data exfiltration, but with an order-of-magnitude increase in potential damage because AI assistants have broad, pre-authorized data access.
The second trend is zero-click exploitation moving from mobile platforms to enterprise SaaS. Just as attackers found ways to compromise iPhones and Android devices without user interaction beyond receiving a message, SearchLeak demonstrates that the same paradigm now applies to Microsoft 365. The victim does not need to download a file, enter a password, or approve a permission — only click a link. This reduces the attack surface to a single URL, which can be delivered via email, chat, or even a QR code.
Key Takeaways
- [Critical Severity]: SearchLeak is a vulnerability chain that turns Microsoft 365 Copilot into a data theft tool via a single URL, affecting over 400,000 organizations.
- [No Patch Available]: As of June 15, 2026, Microsoft has not released a fix; organizations must implement temporary mitigations like conditional access policies.
- [Stealth Mechanism]: The attack uses Copilot's own authenticated APIs, making it invisible to traditional DLP and endpoint detection systems.
- [Broader Implications]: SearchLeak represents a new class of AI supply chain attacks that exploit legitimate AI data access for exfiltration.
