logo

Critical Copilot vulnerability allowed hackers to steal 2FA code from users

ID: 31b934d7-2fb4-5951-bcfb-c47ebe2282a1

STIX ID: report--31b934d7-2fb4-5951-bcfb-c47ebe2282a1

Feed Name: Ars Technica Security (category)

Threat Score
70/100

Date Published: 2026-06-16

Date Updated: 2026-06-16

Author: Dan Goodin

...
...

Researchers disclosed "SearchLeak," a parameter-to-prompt injection against Microsoft Copilot/Search that allows an attacker to craft a URL which causes Copilot to render an <img> tag and issue HTTP requests that exfiltrate enterprise M365 content (emails, SharePoint, OneDrive, etc.) by relaying through permitted domains like Bing; Microsoft patched the exploited vulnerabilities but the underlying attack pattern could be reworked to bypass guardrails.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.