Cybersecurity

SearchLeak: The Wolves Found a Hole in the Fence That Microsoft Built for You

Victor Woolridge

2 min read
Share
SearchLeak: The Wolves Found a Hole in the Fence That Microsoft Built for You

I want you to sit with this one for a moment.

A single click on a legitimate, verified, honest-to-goodness microsoft.com link. That is all it took. One click, and the wolves were inside your filing cabinet, reading your emails, your calendar, your indexed documents. The whole barn, essentially, left open by the very shepherd who sold you the lock.

The researchers at Varonis Threat Labs, to their considerable credit, chained three separate vulnerabilities together into what they are calling "SearchLeak." The attack weaponized Microsoft 365 Copilot's Enterprise Search to exfiltrate emails, files, and, rather impressively, MFA codes. Through one click. On a real Microsoft domain.

In the old days, we called this a "catastrophic architectural failure." Now we apparently call it a "product feature under review."

The particularly galling detail is this: because the luring link pointed to a genuine microsoft.com address, every modern anti-phishing filter, every URL screening tool, every piece of expensive software the Shepherds approved on last quarter's budget, waved it straight through. The Electric Fence saw a trusted domain and simply went back to sleep. Brilliant. Absolutely brilliant.

This is precisely what I warned about when everyone started migrating the flock's sensitive data up to the Sky Pasture. You do not put your crown jewels in an infrastructure you do not control and then act surprised when the architecture has holes in the fence you did not know existed. Magnetic tape did not have an AI assistant that could be socially engineered into handing over your MFA tokens. I am simply noting that for the record.

The oblivious Lambs clicking links in their email, which they have been doing since 1997 and apparently intend to do forever, cannot be blamed here. The attack was designed to be invisible to them. That is, I admit, sophisticated. Grudgingly.

Microsoft has since patched the flaw. Shearing complete. We move on.

Remediation

Look, the ointment has been applied, but your posture still needs work.

Disable or restrict Copilot Enterprise Search access for users who have no legitimate need for broad organizational indexing. The flock does not need to see the whole pasture.

Audit your OAuth application permissions. Anything with broad read access to mail and files deserves a hard look right now.

Do not trust a URL simply because it wears a familiar coat. A wolf in a microsoft.com fleece is still a wolf. Train the Lambs accordingly.

Review your MFA token handling. If a single-click attack can lift an MFA code, your token lifetime and scope policies need an immediate review. This is not optional.

Stay paranoid out there, it is the only rational response.

Original Report: https://thehackernews.com/2026/06/one-click-microsoft-365-copilot-flaw.html