Hunting M365 Copilot SearchLeak with CrowdStrike LogScale // Echelon Risk + Cyber

Posted in

Author s

Alex Watts: Senior Cybersecurity Consultant

Alex Watts is a Senior Security Consultant at Echelon with over 14 years of experience protecting critical systems and cloud infrastructure. He has deep expertise in network security, identity management, and automation. Alex brings a strong understanding of the threat landscape and delivers practical, tailored security solutions to meet clients evolving needs.

Mitchel Sykes: Cybersecurity Consultant

Mitchel Sykes is a Cybersecurity Consultant at Echelon and holds a degree in Cybersecurity and Networking from Roger Williams University. He specializes in cloud security and identity and access management, and is recognized for his attention to detail and adaptability. Mitchel combines technical expertise with strategic thinking and is passionate about continuous learning and addressing emerging cybersecurity challenges.

Drew Foley: Cybersecurity Associate

Drew Foley is a Cybersecurity Associate at Echelon and a Cybersecurity graduate of Thomas College. He has a strong passion for consulting, advising, regulatory compliance, risk management, and defensive security. Since joining Echelon, he has deepened his expertise in vCISO advisory services and defensive security. Beyond his professional role, he actively gives back to his community by volunteering with local youth programs through his church.

Summary

M365 Copilot SearchLeak exposes how a newly discovered vulnerability can let attackers manipulate Copilot into silently exfiltrating sensitive organizational data through a single malicious link, using a multi stage process that includes prompt injection, automated data extraction, and a Bing powered SSRF bypass to evade security controls. The article explains why relying only on Microsoft 365 audit logs creates visibility gaps and emphasizes the need to hunt threats through endpoint telemetry with tools like CrowdStrike LogScale, detailing a four phase detection strategy that covers injection indicators, exfiltration beacons, abnormal Bing activity, and post exploitation behavior. It also outlines incident response steps to scope impacted systems and highlights the importance of combining cloud and endpoint insights to effectively detect and mitigate this evolving AI driven threat.

Enterprise AI assistants have rapidly become embedded within daily workflows, but they also introduce entirely new attack surfaces. The recent discovery of SearchLeak (CVE-2026-42824) by Varonis Threat Labs demonstrates how Microsoft 365 Copilot can be manipulated into silently exposing sensitive organizational information through a single user interaction. While many defenders instinctively pivot to Microsoft audit logs when investigating Copilot abuse, relying exclusively on cloud telemetry leaves significant blind spots. Detecting this activity requires defenders to shift their perspective and hunt directly within endpoint telemetry.

The recent discovery of the M365 Copilot "SearchLeak" vulnerability (CVE-2026-42824) by Varonis Threat Labs represents a massive shift in how we need to approach AI-driven data exfiltration. Scoring a CVSS 6.5, this command injection flaw in M365 Copilot Enterprise essentially allows an attacker to weaponize the assistant, silently stealing sensitive organizational data—from emails to MFA codes—with a single click on a malicious link.

When standardizing service delivery and incident response for a threat like this, many security teams instinctively pivot to the M365 Unified Audit logs to look for anomalous SearchQuery operations. But relying solely on cloud audit logs leaves a critical visibility gap during the actual exfiltration phase. Attackers are using dynamic, chain-request prompts that completely obscure the true intent of the execution.

At Echelon Risk + Cyber, we approach detection engineering a lot like tuning a high-performance engine: you can't just stare at the dashboard indicators; you have to monitor the underlying telemetry at every stage of the cycle. To get true visibility into SearchLeak, you have to hunt at the endpoint level using CrowdStrike Falcon Next-Gen SIEM (LogScale).

The Exploit Mechanics: Why Endpoint Telemetry Matters

To build a reliable detection, you have to understand the three-stage vulnerability chain that

makes SearchLeak possible:

Parameter-to-Prompt (P2P) Injection: The attacker sends the victim a seemingly legitimate Microsoft URL. Hidden inside the q (query) parameter are malicious instructions. When clicked, Copilot blindly accepts this parameter as a trusted user prompt.
Data Extraction: Copilot executes the prompt, silently scraping anything the user has permissions to view across the M365 tenant.
CSP Bypass via Bing SSRF: To exfiltrate the data, the prompt forces Copilot to embed the stolen text into an image URL. Because Copilot restricts direct connections to unverified external domains, the attacker leverages Bing's "Search by Image" feature as a proxy. Bing fetches the URL, bypassing Content Security Policies and silently transmitting the stolen data to the attacker's server.

If your Falcon deployment operates in Prevent-only mode without full HTTP inspection, you won't see the specific URL query strings carrying that stolen data. However, by leveraging Falcon's DNS and network connection telemetry, we can behaviorally detect the exfiltration beacons and the SSRF proxying.

The Detection Strategy

Phase 1: The Injection

The exploit requires an initial user click within a browser. Our first step is filtering for browser processes initiating network connections to Copilot endpoints where the connection metadata suggests an anomalously long URL. This gives us our initial indicator of the P2P injection via the q parameter.

Phase 2: The Exfiltration Beacon (High Fidelity)

This is the core of the detection pack. We correlate a Copilot DNS resolution with a subsequent outbound connection to a non-Microsoft IP. Crucially, we enforce a strict 60-second window. If a machine resolves Copilot and immediately beacons to an unknown external IP, it is a massive red flag signaling the injected tag carrying the exfiltrated data. You will need to tune your exclusions here to filter out known-good external IPs and proxy nodes.

Phase 3: The Bing SSRF CSP Bypass Approximation

The SSRF leg of SearchLeak forces the client to fetch a Bing image search URL. Without full proxy logs, client-side visibility into the exact payload is limited. We use this query as a sensor-level approximation, hunting for the behavioral burst of Bing image lookups—specifically, five or more within a two-minute window—paired directly with active Copilot sessions.

Phase 4: Post-Exploitation Process Ancestry

If the attacker successfully steals session tokens or MFA codes, their next step is often lateral movement or payload execution. This query acts as our defense-in-depth safety net, identifying suspicious child processes spawned by browsers on the targeted hosts immediately following the compromise.

Incident Response: Scoping the Blast Radius

When one of these primary alerts fires, your analysts need to act fast. We use specific pivot queries to determine exactly what infrastructure the affected host was communicating with during the exfiltration window, and to scope the blast radius of Copilot connections across the entire fleet.

Pivot A: Review all external connections from the alerted host in a 30-minute window.

Pivot B: Scope the blast radius of Copilot connections across the fleet

Final Thoughts

Adapting to visibility gaps is the cornerstone of solid detection engineering. Cloud identity and audit logs are absolutely critical, but correlating them with endpoint network telemetry provides the high-fidelity signal required to hunt down complex, multi-stage exploits like SearchLeak.

You can grab the raw LogScale detection pack and the full Markdown documentation from our GitHub repository. Deploy it, tune it to your environment, and stay sharp.