Microsoft Copilot SearchLeak: AI Turns Permissions Into Risks

Hackers could steal two-factor authentication codes and confidential data from Microsoft Copilot with a single click. This vulnerability, called SearchLeak, allowed attackers to bypass security measures. Microsoft patched the issue on June 4th, before it was publicly known. Researchers discovered it on June 14th. The flaw exposed confidential emails and files from OneDrive and SharePoint. Microsoft rated SearchLeak as "critical" severity, even though its technical score was lower. This attack highlights how AI's inherited user permissions can create significant security risks. No user update is needed, but organizations should audit AI permissions and tighten data loss prevention policies. This matters because understanding AI access rules is crucial for enterprise security.