A single click on a link that read microsoft.com was enough for an attacker to pull everything inside Microsoft 365: emails, meeting details, files from SharePoint and OneDrive and, worse, the multi-factor codes (MFA) you receive to sign in to your accounts. No password, no second click, no warning at all. The flaw has a name, SearchLeak, and it was Varonis Threat Labs that found it and proved it.
What holds my attention is not the bug itself. It is what it reveals about where we are heading. We wired an artificial intelligence into everything the company owns, gave it the mailbox, the calendar, the documents, and forgot one simple thing: whoever writes the text the AI reads can give it orders. The assistant was not outsmarted by a criminal genius; it was simply obedient. It read a hidden instruction and carried it out.
Three small flaws, one large door
SearchLeak is not a single trick, it is three weaknesses locked together. First, the link's address carried a piece of text that Copilot's search treated as a command rather than a plain question (this is called prompt injection, when input data starts giving the system orders). Then, during the instant the AI's answer was forming on screen, a hidden image fired before the safety filter could clean the content. Finally, that image reached out to an attacker-controlled address by abusing a Bing image-search service that sat on the trusted list (a technique known as SSRF, where the server itself is tricked into making the request for us).
Each piece, on its own, would be limited. Together they formed a silent path for the data to leave. Dolev Taler, the Varonis researcher, put it well: "each link in the chain is necessary, and the AI component is what ties them together."
And here is the detail that should keep any security lead awake: the link pointed to microsoft.com. Anti-phishing filters and the tools that block suspicious addresses do not lift a finger when the domain is trusted. The trap travelled inside the house we trust.
Why this touches all of us
Microsoft 365 is the backbone of half the world, including the vast majority of Portuguese organisations, from companies to town halls and public services. When a flaw like this shows up in the very assistant being pushed onto all those people, it is not a lab problem. It is your organisation's mailbox, the salary files, the reports that have not gone out yet.
The good news, and it is genuine, is that Microsoft has already fixed the flaw (logged as CVE-2026-42824 and rated critical). The fix was applied on their side, on the server, in early June, and Varonis says this was a proof of concept, with no sign of it being used by criminals. This time, the clock ran in our favour.
But the lesson stays, and it is bigger than this one flaw. The next ones will follow the same mould: the target is no longer the machine, it is the instructions. As long as we give these assistants access to everything and let them read text from outside without suspicion, the text is the new weapon.
What you can do
There is no magic button here, but there are habits that cut the risk today:
- Be wary of unsolicited links even when the address is trusted. A familiar domain is no longer a guarantee of safety.
- Take your multi-factor codes out of email. Use an authenticator app or a hardware key; a code that lands in your mailbox is a code that can be read by whoever gets in.
- Keep your AI's connections to your systems updated and apply vendors' fixes as soon as they ship.
- If you run an organisation, treat the instructions the AI receives as untrusted input, limit what the assistant can reach to the bare minimum, and log and watch what leaves.
We taught the assistant to read everything we have. We forgot to teach it to doubt whoever writes to it. Until then, the question is no longer whether the AI can be attacked, but who it obeys.
Original source: Varonis Threat Labs.
#StaySafe
🙏🖖
