Back to Intelligence

SearchLeak: Microsoft 365 Copilot Enterprise Data Exfiltration — Defense and Detection

SA
Security Arsenal Team
June 15, 2026
6 min read

A critical vulnerability chain, dubbed SearchLeak, has been identified in Microsoft 365 Copilot Enterprise, posing a severe risk to organizations relying on generative AI for productivity. This attack vector transforms Copilot into a one-click data theft tool, allowing attackers to exfiltrate sensitive data from a target's mailbox, OneDrive, and SharePoint accounts simply by enticing a user to click a specially crafted URL.

For defenders, the urgency cannot be overstated. SearchLeak bypasses traditional security awareness training regarding macro attachments or credential theft; it abuses the inherent trust and privileges granted to the Copilot service principal. This post breaks down the mechanics of SearchLeak and provides actionable detection logic and hardening steps to mitigate this threat before it impacts your environment.

Technical Analysis

Affected Products & Platforms:

  • Product: Microsoft 365 Copilot Enterprise
  • Platform: Microsoft 365 (Exchange Online, SharePoint Online, OneDrive for Business)

Vulnerability Mechanics: The SearchLeak vulnerability chain exploits the way Copilot processes search queries and retrieves data from indexed sources. By crafting a malicious URL that triggers a specific Copilot interaction, an attacker can manipulate the AI into performing unauthorized searches or data retrieval operations on behalf of the victim.

Unlike standard phishing that requires a user to download a payload or enter credentials, SearchLeak requires only a single click. The interaction leverages the victim's authenticated session and Copilot's extensive read permissions (which typically span the user's entire accessible graph data). The crafted URL forces the Copilot engine to aggregate sensitive documents or emails and return them to the attacker-controlled interface or exfiltration channel.

Exploitation Status: Security researchers have demonstrated proof-of-concept (PoC) code showing the reliability of this vector. Given the high value of the data accessible via Copilot, active exploitation in the wild is anticipated to follow rapidly.

Detection & Response

SIGMA Rules

The following Sigma rules target the anomalous behavior associated with SearchLeak, specifically focusing on unusual Copilot data access patterns and the initiation of Copilot tasks via potentially suspicious referrers or high-volume data retrieval.

YAML
---
title: SearchLeak - Suspicious M365 Copilot High Volume Data Access
id: 8a4b2c1d-9e3f-4a5b-8c6d-1e2f3a4b5c6d
status: experimental
description: Detects potential SearchLeak activity characterized by high-volume access to SharePoint or Exchange data initiated by the Microsoft 365 Copilot service principal within a short timeframe.
references:
  - https://www.bleepingcomputer.com/news/security/new-attack-turned-microsoft-365-copilot-into-1-click-data-theft-tool/
author: Security Arsenal
date: 2026/05/15
tags:
  - attack.exfiltration
  - attack.t1530
logsource:
  product: m365
  service: audit_general
detection:
  selection:
    Workload|contains:
      - 'SharePoint'
      - 'Exchange'
    Operation|contains:
      - 'Search'
      - 'Viewed'
      - 'Downloaded'
    Actor|contains:
      'Copilot'
  timeframe: 5m
  condition: selection | count() > 50
falsepositives:
  - Legitimate high-volume user activity via Copilot querying
data:
  - https://attack.mitre.org/techniques/T1530/
level: high
---
title: SearchLeak - Copilot Access via Unusual Referrer
id: 9b5c3d2e-0f4a-5b6c-9d7e-2f3a4b5c6d7e
status: experimental
description: Detects Copilot access events potentially triggered by a crafted URL by identifying interactions originating from non-standard referrer headers or specific user-agent strings associated with the PoC.
references:
  - https://www.bleepingcomputer.com/news/security/new-attack-turned-microsoft-365-copilot-into-1-click-data-theft-tool/
author: Security Arsenal
date: 2026/05/15
tags:
  - attack.initial_access
  - attack.t1190
logsource:
  product: azure
  service: signins
detection:
  selection:
    AppDisplayName|contains:
      - 'Microsoft 365 Copilot'
    ResourceDisplayName|contains:
      - 'Office 365 Exchange Online'
      - 'Office 365 SharePoint Online'
  filter:
    DeviceDetail|contains:
      - 'Compliant'
  condition: selection and not filter
falsepositives:
  - Access from unregistered but compliant devices
level: medium

KQL (Microsoft Sentinel / Defender)

This KQL query hunts for anomalies in the OfficeActivity table where the Copilot application performs bulk operations on sensitive data sources.

KQL — Microsoft Sentinel / Defender
// Hunt for SearchLeak: High frequency Copilot data access
OfficeActivity
| where Workload in ("SharePoint", "Exchange", "OneDrive")
| extend OperationName = tostring(Operation)
| where OperationName contains "Search" or OperationName contains "Export" or OperationName contains "View"
// Look for the Service Principal or User Agent associated with Copilot
| where UserId contains "Copilot" or ExtensionData has "Copilot"
| summarize Count = count() by UserId, ClientIP, OperationName, bin(TimeGenerated, 5m)
| where Count > 20 // Threshold tuning required based on baseline
| project TimeGenerated, UserId, ClientIP, OperationName, Count
| sort by Count desc

Velociraptor VQL

This VQL artifact hunts for browser processes on endpoints that have recently initiated connections to M365 Copilot endpoints, potentially correlating with a user clicking a malicious link. It focuses on the parent-child relationship of the browser process to identify automation or suspicious launch patterns.

VQL — Velociraptor
-- Hunt for browser processes accessing M365 Copilot endpoints
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Name IN ('chrome.exe', 'msedge.exe', 'firefox.exe')
  AND CommandLine =~ 'microsoft365.com'
  AND CommandLine =~ 'copilot'
-- Optional: Join with netstat to check for active connections to O365 IPs

Remediation Script (PowerShell)

As this is an identity and platform-level vulnerability, endpoint patching is not the primary remediation. However, administrators can use PowerShell to audit current Copilot assignments and restrict access to high-risk users until a vendor patch is available.

PowerShell
<#
.SYNOPSIS
    Audit and Restrict Microsoft 365 Copilot Access for SearchLeak Mitigation
.DESCRIPTION
    Checks for users assigned Copilot licenses and outputs a report. 
    Can be modified to block access for specific groups.
#>

# Connect to MS Graph if not already connected
# Connect-MgGraph -Scopes "User.Read.All", "Group.Read.All"

# Function to Check Copilot Licenses
function Get-CopilotAssignments {
    $CopilotSkuId = "3e8583e0-cf3f-4cc4-874c-3ae118693b42" # Placeholder for M365 Copilot SKU ID
    
    Write-Host "[+] Checking for M365 Copilot License Assignments..." -ForegroundColor Cyan
    
    $users = Get-MgUser -All -Property Id, DisplayName, AssignedLicenses
    
    $licensedUsers = $users | Where-Object { $_.AssignedLicenses.SkuId -contains $CopilotSkuId }
    
    if ($licensedUsers) {
        Write-Host "[!] Found $($licensedUsers.Count) users with Copilot access." -ForegroundColor Yellow
        $licensedUsers | Select-Object DisplayName, UserPrincipalName | Export-Csv -Path "CopilotUsers_Audit.csv" -NoTypeInformation
        Write-Host "[+] Report saved to CopilotUsers_Audit.csv" -ForegroundColor Green
    }
    else {
        Write-Host "[*] No users currently assigned Copilot licenses." -ForegroundColor Gray
    }
}

# Execute Audit
Get-CopilotAssignments

# Recommendation: Review this list and restrict access for users with PII access or High Privilege accounts

Remediation

1. Immediate Restriction: If your organization handles highly sensitive Intellectual Property (IP) or Controlled Unclassified Information (CUI), consider temporarily disabling Microsoft 365 Copilot via the Microsoft 365 Admin Center for specific security groups or the entire tenant until Microsoft releases a security update addressing SearchLeak.

2. Conditional Access Policies: Implement stricter Conditional Access (CA) policies around the Copilot application.

  • Require Compliant or Hybrid Azure AD Joined devices for Copilot access.
  • Enforce Multi-Factor Authentication (MFA) challenges for high-risk Copilot interactions (e.g., bulk data export or search queries returning large result sets).

3. Data Loss Prevention (DLP): Ensure Microsoft Purview DLP policies are active and strictly enforced. While SearchLeak might bypass some UI prompts, DLP policies scanning the content accessed by Copilot may trigger alerts if sensitive data types (SSNs, Credit Cards) are exfiltrated via the output mechanisms.

4. User Awareness: Alert your user base to be skeptical of unsolicited links, even those that appear to be internal M365 links. Advise them to verify the URL destination before clicking, particularly if the link prompts an immediate Copilot interaction or search.

5. Vendor Coordination: Refer to the official Microsoft Security Response Center (MSRC) blog or the admin message center for the specific CVE ID (once assigned) and the patch release schedule. Apply updates to the M365 backend immediately upon availability.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

managed-socmdrsecurity-monitoringthreat-detectionsiemmicrosoft-365copilotsearchleak

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action