Security researchers have uncovered a critical exploit chain in Microsoft Copilot's enterprise tier, enabling attackers to silently exfiltrate sensitive data from corporate environments.
The attack, involving a malicious URL masked as a legitimate Microsoft search query, required only a single click by the victim. Once triggered, Copilot would execute an embedded instruction to search the user's emails and extract confidential information.
Attackers circumvented standard guardrails by exploiting a timing gap. Copilot generates initial responses in raw HTML before security protections activate. By embedding an image tag, researchers forced the victim's browser to send data to an attacker-controlled server before the system could wrap the output in protective code blocks.
To bypass domain restrictions, the exploit leveraged Microsoft's own Bing search engine as a proxy. Because Copilot permits image requests to Bing under its content security policy, the stolen data was routed through Bing to the attacker's domain.
The vulnerability impacts the entire Microsoft 365 ecosystem including emails, meeting notes, SharePoint documents, and OneDrive files. Microsoft deployed a fix, but researchers warn the underlying architectural weakness remains susceptible to future exploitation.