What Happened
Varonis Threat Labs revealed a prompt injection attack against Microsoft M365 Copilot Enterprise that exposed internal corporate data through manipulated URL parameters. The attack, called SearchLeak, allowed researchers to extract emails, meeting invites, and notes—anything the targeted user could access within their organization. Microsoft patched the vulnerability on the server side earlier this month.
The attack involved embedding malicious prompts in URL parameters that Copilot Enterprise Search processed as legitimate instructions. When a user clicked a crafted link, Copilot's AI executed the embedded commands, leaking data through Bing's Image Search service, which the researchers used as an exfiltration proxy.
Timeline
Initial Discovery: Varonis Threat Labs found that M365 Copilot Enterprise Search processed URL parameters without proper sanitization.
Proof-of-Concept Development: Researchers created URLs with prompt injection payloads that instructed Copilot to extract and transmit sensitive data.
Successful Exfiltration: The attack demonstrated data leakage across the full scope of user permissions—emails, calendar entries, SharePoint documents, and Teams conversations.
Disclosure and Patch: Microsoft released a server-side patch that addressed the vulnerability in Copilot Enterprise Search's parameter handling.
Which Controls Failed or Were Missing
Input Validation: The application processed natural language instructions embedded in URL parameters without verifying that these inputs came from legitimate user interaction rather than external sources.
Output Sanitization: Copilot rendered AI-generated responses incrementally without real-time sanitization. This allowed attackers to inject instructions that appeared mid-stream in the AI's output, bypassing traditional output filtering that only examines complete responses.
Content Security Policy (CSP): The application lacked restrictive CSP headers that would prevent data exfiltration to external domains. The researchers used Bing Image Search as a data channel because the application allowed outbound connections to arbitrary endpoints.
Least Privilege Enforcement: Although not a direct control failure, the attack's impact was amplified because Copilot operated with the full scope of the user's organizational access. A single compromised click exposed everything from that user's permission set.
Prompt Injection Defenses: The application had no mechanism to distinguish between user-initiated prompts and prompts injected through URL parameters or other external inputs.
What the Relevant Standards Require
OWASP ASVS v4.0.3 Requirement 5.1.1 mandates that input validation is applied on a trusted service layer. URL parameters are untrusted input. Processing them as AI instructions without validation violates this control.
OWASP ASVS Requirement 5.2.1 requires sanitizing output based on the context where it will be used. AI responses that include user data must be sanitized before rendering, especially when rendering happens incrementally.
OWASP Top 10 2021: A03 - Injection covers scenarios where untrusted data is sent to an interpreter. Large language models are interpreters. URL parameters containing natural language instructions are injection vectors.
PCI DSS v4.0.1 Requirement 6.4.3 (for organizations handling payment data) requires scripts loaded from external or untrusted sources to be authorized. While this requirement targets JavaScript, the principle applies: external inputs that drive application behavior require explicit authorization and validation.
ISO/IEC 27001:2022 Control 8.24 addresses the use of cryptography and secure communications. Data exfiltration through uncontrolled external connections (like the Bing Image Search proxy) indicates missing controls around outbound data flows.
NIST 800-53 Rev 5 SI-10 requires information input validation. The control explicitly states that applications must check the validity, accuracy, and authenticity of information inputs. URL parameters qualify as information inputs.
Lessons and Action Items for Your Team
Treat LLM Inputs as Injection Vectors
Add prompt injection to your threat model for any application that processes natural language. URL parameters, HTTP headers, file uploads, and API payloads can all carry malicious prompts. Implement input validation that examines not just syntax but semantic intent.
Action: Review every integration point where your application passes data to an LLM. Document which inputs are user-controlled versus system-controlled. Flag any case where external data becomes part of a prompt.
Implement Real-Time Output Filtering
Incremental rendering creates a sanitization gap. Your output filters must operate on streaming responses, not just completed outputs.
Action: If you're using AI services that stream responses, implement token-by-token or chunk-by-chunk sanitization. Test specifically for instructions embedded mid-response that attempt to override earlier filtering.
Deploy Restrictive CSP Headers
Content Security Policy should prevent unauthorized outbound connections. The SearchLeak attack used Bing Image Search as an exfiltration channel—a strict CSP would block this.
Action: Set connect-src 'self' and explicitly whitelist only the external domains your application legitimately needs. Monitor CSP violation reports to detect exfiltration attempts.
Separate User Context from AI Context
When your AI assistant operates with user permissions, a single prompt injection exposes everything that user can access. Consider implementing a separate, restricted service account for AI operations.
Action: Audit what data your AI integrations can access. If the AI doesn't need read access to emails to perform its function, don't grant that permission. Apply least privilege at the AI service account level.
Test for Prompt Injection in Security Assessments
Your penetration tests and security reviews must now include prompt injection scenarios. Traditional injection testing (SQL, command, XSS) doesn't cover this attack class.
Action: Add prompt injection test cases to your security testing checklist. Include scenarios where attackers control URL parameters, API inputs, and uploaded content that feeds into LLM prompts. Document which mitigations you've implemented and test their effectiveness.
The SearchLeak attack demonstrates that AI-powered applications inherit all traditional web vulnerabilities—then add new ones. Your existing controls for input validation, output encoding, and least privilege still apply. You just need to apply them to a new type of interpreter.
