The Copilot SearchLeak vulnerability chain shows how any AI assistant can evolve from a productivity feature into a new path into data that inherits the user’s reach. What lessons can security and compliance leaders learn?

In June, researchers at Varonis Threat Labs unveiled a critical vulnerability chain in Microsoft 365 Copilot Enterprise dubbed “SearchLeak”. Tracked as CVE-2026-42824, attackers could use the flaw to steal sensitive data — including emails, multifactor authentication (MFA) codes, and indexed files — with a single click.

SearchLeak was swiftly fixed by Microsoft before being exploited in any real-life attacks. Yet the Copilot issue has demonstrated how any AI assistant can evolve from a productivity feature into a new path into data that inherits the user’s reach.

What lessons can security and compliance leaders learn?

One Click, No Malware

The SearchLeak flaw shows that any connected AI assistant is only as contained as the permissions of the person running it. When it’s tricked, it can reach and leak anything a user can.

SearchLeak combines a relatively new class of AI-specific vulnerability known as parameter-to-prompt injection with two classic web security bugs: An HTML injection race condition flaw and a server-side request forgery issue.

“Individually, each vulnerability might seem manageable,” security researcher Dolev Taler wrote in a blog. “Chained together, they give an attacker the ability to silently extract emails, security codes, and other sensitive content from a victim’s mailbox, calendar, SharePoint, and OneDrive — all from one click of an unsuspicious link.”

Experts say the SearchLeak issue was concerning due to its simplicity. “One click, no malware, no stolen credentials,” comments Tim Freestone, chief strategy officer, Kiteworks. “Copilot read whatever sat in that URL as an instruction, found the emails or MFA codes, and sent them out through an image tag rendered to Bing before the response had even finished loading.”

Data Governance Risks

SearchLeak highlights the data governance risks posed by AI. Many organisations still lack a comprehensive understanding of who can access sensitive information, how broadly that information is shared, or how permissions combine across different business systems.

The issue was not even about over-broad permissions: Copilot only accessed what the user already had access to, says Tristan Shortland, CTO at Infinity Group. “The issue is how that access can be triggered and automated. Even well-scoped permissions can be exploited if the control layers around AI are weak.”

AI makes fragmented permissions “behave like a single permission model”, Jared Atkinson, chief technology officer at SpecterOps tells IO. “A user may have seemingly harmless access in Outlook, Teams, SharePoint, GitHub, Salesforce, ServiceNow and cloud platforms individually. Once an AI assistant can reason across all of them; the combination could reveal substantially more than any one application on its own.”

As organisations adopt AI, data governance then becomes less about where information is stored, and more about understanding the identities and permission relationships that allow it to be combined, says Atkinson

AI eliminates the “security by obscurity” that many organisations accidentally rely on, says Dray Agha, senior manager of security operations at Huntress. “Without strict data governance, AI tools make it trivially easy for employees — or compromised accounts — to instantly find and summarise sensitive information previously hidden in the sheer noise and volume of corporate networks.”

Growing Attack Surface

As agents span more apps, the attack surface grows due to increasing numbers of data sources, actions and complex chains. With this in mind, Infinity Group’s Shortland predicts that in the future, there will be fewer single “big” vulnerabilities and “more multi-step exploits across AI, identity and APIs”.

Today’s AI assistants retrieve information. The next generation of AI agents will “execute work across multiple business applications, coordinating actions in email, source code repositories, cloud platforms, ticketing systems, CRM platforms, identity providers, and other enterprise services”, says SpecterOps’ Atkinson.

This autonomy will lead to broader use of delegated authority, he says. “Agents will receive delegated credentials, service identities, or application-specific permissions that allow them to perform actions the user could not perform directly. This will create new opportunities for unintended data exposure, privilege escalation or abuse, if delegated permissions are not carefully governed.”

Regain Control

As AI agents continue to pose risks to businesses, security and compliance leaders can take some simple steps to take back control and limit the blast radius if similar issues to SearchLeak arise.

It’s important to note that simply blocking access won’t work. “Prohibition just drives usage to non-corporate accounts where you have even less visibility,” says Kiteworks’ Freestone.

Rather than pulling back on AI, Infinity Group’s Shortland advises treating the technology “like a high-privilege abstraction layer”.

“Practically, that means strict scoping of what Copilot can index and retrieve: Not just user permissions, but AI retrieval scope.”

Shortland also advises segmentation of sensitive data sources. “Don’t assume everything needs to be discoverable via Graph.”

Meanwhile, firms can monitor for unusual retrieval patterns and reduce implicit trust in internal domains, he advises. “SearchLeak worked because the link looked legitimate. In short: Assume AI will be tricked at some point and design around that.”

AI Access Governance

As the SearchLeak issue shows, you can’t make an AI assistant un-trickable, so the most important control is limiting what it can reach. Visibility is a key step.

Security leaders should inventory where AI agents are deployed, understand which identities they operate as, and identify any delegated credentials or service identities they receive, says SpecterOps’ Atkinson. “Human users, service accounts, application identities and AI agents should all be evaluated as part of the same identity ecosystem.”

While ISO 27001 wasn’t written for AI, its controls “map directly onto the SearchLeak attack chain”, according to Kiteworks’ Freestone. For example, Annex A.9 access control would have scoped what Copilot could reach. “A.12.4 logging and monitoring would have made the exfiltration attempt visible in real time,” he points out. “And A.8.2 information classification would have kept regulated content from crossing a governed boundary.”

The standard provides the controls but lacks the framework for deciding what AI systems are allowed to do in the first place, he explains. That’s where ISO 42001, the international standard for AI management systems, comes in.

This requires impact assessments before deployment, human oversight mechanisms, and explicit treatment of AI-specific risks including prompt manipulation and unintended model behaviour.

“This is the exact threat class SearchLeak represents,” says Freestone. “ISO 27001 covers the security controls and the audit evidence. ISO 42001 covers the governance decisions that sit upstream of those controls. Regulators are starting to expect both.”

Expand Your Knowledge

Guide: Securing the AI Attack Surface

Blog: Anthropic’s Suspension is a Wake-Up Call for AI Supplier Risk

Blog: Cyber-Risk Management is Fragmented, Here’s How to Fix It