Copilot 'SearchLeak' Attack Allows 1-Click Data Theft 微软 Copilot 遭 'SearchLeak' 攻击，一键数据窃取成为可能

TL;DR

• Novel "SearchLeak" attack enabled silent exfiltration of Microsoft 365 data via Copilot.
• Exploited parameter-to-prompt injection (P2P) using crafted Copilot Search links.
• Bypassed CSP and Copilot guardrails by abusing Bing's server-side image fetch.
• Exfiltrated emails, meeting notes, OneDrive/SharePoint files, and 2FA codes.
• Patched by Microsoft as critical CVE-2026-42824; no user action required.

Key Data

Entity	Key Info	Data/Metrics
Attack Name	SearchLeak
Vulnerability Type	Parameter-to-Prompt Injection (P2P)	A subset of indirect prompt injection
Affected Product	Microsoft Copilot for Microsoft 365
Attack Vector	Malicious link with crafted q parameter	Sent via email, Slack, etc.
Key Bypass	Using Bing search-by-image img tag	Exploits Bing's whitelisted server-side fetch
CVE Identifier	CVE-2026-42824	Critical Severity
CVSS Score	6.5
Researcher	Varonis Threat Labs
Patch Status	Patched by Microsoft	No end-user action required

Deep Analysis

Microsoft just handed everyone a masterclass in how not to integrate generative AI into enterprise security architecture. SearchLeak isn't just another bug; it's a philosophical failure. The entire value proposition of Copilot is seamless, context-aware access to your organizational data. Turns out, that's also its perfect attack surface. This wasn't a failure of the large language model itself, but a catastrophic failure in the plumbing—the pipes connecting the AI to the data and the web.

Let's dissect the elegance of the attack. The core trick, using a q parameter to silently inject a prompt, is almost embarrassingly simple. It highlights a naive trust in user-controlled input fields, a classic web security mistake from the early 2000s, now reborn in the AI age. But the real savagery is in the bypass. Microsoft's guards were apparently checking the final destination of data exfiltration. So Varonis routed it through Bing, Microsoft's own house. By hiding the attacker's URL inside an <img> tag within a Bing search, they exploited a critical loophole: Bing's backend fetches images to analyze them, acting as a trusted proxy that ignores the victim's browser security policies. This isn't just clever; it's a brutal indictment of security whitelists. Trusting your own services implicitly without scrutinizing the actions they perform is security theater.

The naming of this as a "subset" of prompt injection—Parameter-to-Prompt—is significant. It signals the attack taxonomy is evolving as fast as the AI itself. We're moving beyond simple chatbot jailbreaks to complex, multi-stage attacks that weaponize the ecosystem around the AI. The AI model becomes a compliant puppet, its strings pulled by instructions baked into a URL.

Now, the CVSS score of 6.5 for a vulnerability labeled "Critical" by Microsoft is the most telling number here. It screams that our standardized vulnerability scoring systems are utterly broken for this new class of AI-integrated software. How do you quantify the risk of a silent exfiltration pipeline to all your enterprise documents? A 6.5 suggests a localized impact with some complexity. The reality is a silent, scalable data breach. The disconnect is dangerous, giving security teams a false sense of risk prioritization.

Microsoft's patch was swift, and that's good. But patching the specific exploit is whack-a-mole. The systemic issue is architectural. Every enterprise AI copilot, every chatbot integrated with internal data, is a potential SearchLeak. The attack graph is horrifying: from phishing link to mass document exfiltration in a few automated steps, all while the user sees a legitimate Microsoft domain. This is the end of the firewall-and-perimeter mindset in a very real, AI-driven way.

The question isn't whether other AI vendors have similar flaws. It's how many are already being exploited. Varonis correctly frames this as a precursor. We're in the "script kiddie" phase of AI attacks; nation-states and advanced criminal groups are surely building far more sophisticated prompt-injection arsenals. The hunt for data isn't new, but giving it a natural language interface is a game-changer. We've handed attackers a key to the data kingdom and told them to ask for what they want nicely. It turns out, they don't have to be that nice.

Industry Insights

1. Treat AI Integrations as High-Risk APIs: Scrutinize every external input (links, emails, calendar invites) that can feed a prompt to an enterprise AI. Implement strict input validation and URL parameter sanitization.
2. Audit Data Access Paths, Not Just Models: Security reviews must map how AI systems access, retrieve, and act on sensitive data. Stress-test these pipelines with P2P and indirect injection scenarios.
3. Re-evaluate "Trusted" Internal Services: Whitelisting your own services (like Bing) for AI interactions creates blind spots. Implement content security policies that validate the intent of actions, not just the source.

FAQ

Q: How can I protect my organization from this type of attack?
A: Microsoft has patched this specific vulnerability, so updating is key. For future-proofing, implement advanced email filtering to detect malicious link patterns and conduct employee training on recognizing suspicious AI prompts.

Q: Was my data stolen if I used Copilot?
A: For this specific attack, no. The vulnerability required an attacker to send you a malicious link that you had to click. There is no evidence it was exploited in the wild before the patch.

Q: Does this mean all AI assistants are insecure?
A: They introduce unique risks. The fundamental architecture of allowing an AI to autonomously access and process sensitive data based on external input is inherently high-risk. Vigilance and new security frameworks are required.

TL;DR

• Varonis安全实验室披露微软Copilot漏洞“SearchLeak”，可静默窃取用户邮件、文件等敏感数据。
• 该攻击属于参数注入（P2P），攻击者仅需发送一个恶意链接，用户点击即触发。
• 攻击利用Bing后端图像请求绕过浏览器安全策略（CSP）和Copilot内容过滤器。
• 微软已发布补丁（CVE-2026-42824），将该漏洞定级为“严重”，CVSS评分6.5。
• 漏洞揭示AI智能体系统存在固有的“提示注入”攻击面，安全防护面临范式挑战。

核心数据

实体	关键信息	数据/指标
漏洞名称	SearchLeak	-
CVE编号	CVE-2026-42824	CVSS 6.5
攻击类型	参数到提示注入（P2P），间接提示注入子类	三阶段攻击
利用技术	通过q参数注入恶意指令，利用Bing图像搜索后端请求绕过CSP	利用Bing白名单信任
可窃取数据	电子邮件内容、会议详情、OneDrive/SharePoint文件	包括MFA码、密码重置链接等
修复状态	微软已发布补丁	用户无需操作
发现机构	Varonis Threat Labs	研究员Dolev Taler, Dor Yardeni

深度解读

这个所谓的“SearchLeak”漏洞，名字起得温文尔雅，实则是一把插在微软Copilot心脏上的手术刀，精准地剖开了当前AI助手商业模式下最令人不安的真相：为了“智能”和“便捷”，我们正在无条件地让渡安全主权。

表面上看，这是一个技术问题——一个精巧的“提示注入”攻击，利用了参数传递、Bing后端的信任白名单和那个致命的“竞态条件”。但撕开这层外衣，内核是一个架构设计的原罪。Copilot（以及其他类似的企业AI助手）被设计成一个拥有“上帝视角”的超级用户，它能索引和访问用户权限内的所有邮件、文件、聊天记录。为了实现其“智能”承诺，系统必须先给予它近乎无限的访问权。SearchLeak攻击的本质，不是黑掉了一个软件，而是成功地诱骗了一个拥有最高权限的“内部人”去当间谍。 这就好比你雇了一个无所不知的管家，却忘了给他的指令可能会被别人偷偷掉包。

微软的防护措施——Copilot的内容过滤和安全护栏——在“图像标签+Bing后端请求”这个组合拳面前形同虚设。这暴露了一个更深层次的矛盾：企业级AI的安全模型与互联网的基础架构是脱节的。 浏览器安全策略（如CSP）是为保护用户浏览器而设，但当请求来自可信的“云内”服务（如Bing后端）时，这些防线就失效了。攻击者巧妙地利用了微软自家生态的信任链：Copilot信任Bing，Bing信任其内部的图像分析端点。安全团队在防御“外部”敌人，而攻击者早已化身为“内部”的流量。 这是最典型的供应链思维攻击，只不过这次的“供应链”是微软自己的云服务链。

更讽刺的是CVSS 6.5的评分。在传统漏洞评估中，这或许算“中等”。但在AI时代，这个评分简直是个笑话。一个无需用户任何额外交互（点击即可）、能直接窃取核心商业数据（包括财务、战略、认证信息）、攻击面覆盖整个企业的漏洞，其实际风险是灾难性的。CVSS模型显然没有跟上AI智能体带来的全新威胁维度，它依然在衡量“软件缺陷”，而非“智能代理被恶意操控”的后果。

这个案例给所有狂热拥抱AI Agent的企业当头一棒：你的AI越强大，它手中的钥匙就越多，而这把钥匙的锁孔，可能远比你想象的多。微软迅速打补丁是负责任的，但这无法解决根本问题。只要AI助手的设计理念不变——即通过汇聚海量数据来提供智能——那么“SearchLeak”就绝不会是最后一个名字。下一个漏洞，可能就叫“DataWhisper”或“PermissionGhost”。这场猫鼠游戏，从一开始，老鼠就住进了猫的粮仓。

行业启示

1. AI权限必须“最小化”与“沙盒化”：必须重新评估并严格限制AI助手对内部数据的默认访问范围，考虑实施基于任务的动态权限授权，而非开放式的全盘索引。
2. 防御视角需从“边界”转向“内部信任链”：企业安全架构必须审视云服务间（如搜索引擎与AI平台）的默认信任关系，建立内部API调用和数据的监控与验证机制，防范“合法”通道的恶意利用。
3. 安全左移需覆盖AI提示工程：在AI功能开发和集成阶段，必须强制进行提示注入攻击面的专项威胁建模与红队测试，将安全审查嵌入到提示词设计和数据处理管道中。

FAQ

Q: 这个攻击对普通用户或企业员工来说有多严重？
A: 非常严重。攻击仅需用户点击一个链接，且无任何额外操作提示。成功后，攻击者能静默窃取包括邮件、机密文件、会议记录甚至双因素认证码在内的所有企业数据。

Q: 普通用户需要做什么来保护自己？
A: 对于此特定漏洞，微软已修复，用户无需额外操作。但普遍性建议是：保持系统更新，对企业内部任何要求通过AI助手执行操作的链接保持高度警惕，尤其是来源不明者。

Q: 这个漏洞是微软Copilot独有的吗？
A: 不是。“提示注入”是当前所有大型语言模型（LLM）及基于其构建的AI代理面临的系统性挑战。SearchLeak是针对微软Copilot架构的一个具体攻击实现，但其利用的底层原理（通过输入操控AI行为）是通用的，其他AI产品同样可能存在类似风险。