Microsoft Copilot security flaw may expose your private data, here is how to stay safe

HIGHLIGHTS

A flaw in Microsoft Copilot could have exposed emails, files, and other private Microsoft 365 data.

Microsoft has fixed the issue and said there is no sign that any users were affected.

Avoid unknown links, keep software updated, and limit data access to stay protected.

Microsoft’s AI assistant Copilot was affected by a security issue that could have allowed attackers to access private information from Microsoft 365 accounts. The flaw, called SearchLeak, was discovered by cybersecurity researchers who warned that attackers could steal data with limited action from users. Copilot is used by many organisations to search files, summarise emails, and find information across Microsoft services. Microsoft has fixed the issue and said it found no evidence that customers were affected. Users should still stay careful, keep their accounts protected, and follow security practices to reduce the risk of data exposure.

Researcher Dolev Taler from Varonis Threat Labs discovered the issue and explained that SearchLeak involved multiple weaknesses in Copilot’s search feature. According to the researcher, an attacker could send a user a normal-looking link with hidden instructions. If the user opened the link, Copilot could misunderstand those instructions and treat them as a search request.

Researchers found that Copilot could then search information available to the user, including emails, meeting notes, documents, and files stored across Microsoft services. This data could then be encoded into an image link and then sent out of the system using the Bing search engine, making it difficult to detect data movement.

Also read: Apple iPhone 18 Pro and iPhone Ultra design leaked again: Check expected specs, launch timeline and price

This made emails, information about meetings, files on SharePoint, data on OneDrive, and any other business information associated with Copilot vulnerable. Given how widely Microsoft 365 is used to store sensitive company information, the potential impact was significant.

The good news is that no attacks exploiting this flaw have been reported yet. Microsoft fixed the bug upon notification from the researchers and classified it as an important security issue.

Also read: This new Samsung AI feature can spot signs of illness in your dog or cat

How to stay safe

It’s easy to stay safe from any such AI vulnerabilities. Here are some of the tips you can follow as an individual or an organisation to ensure that your data is safe:

Don’t click on links you weren’t expecting, even if they look real. Double-check who sent a link before opening it in an email or chat message.
Make sure that your Microsoft 365 account, as well as all your working software, are updated.
Do not provide your employees access to information that is not required for their work.
Always monitor what your AI tool can access.

Bhaskar Sharma

Bhaskar is a senior copy editor at Digit India, where he simplifies complex tech topics across iOS, Android, macOS, Windows, and emerging consumer tech. His work has appeared in iGeeksBlog, GuidingTech, and other publications, and he previously served as an assistant editor at TechBloat and TechReloaded. A B.Tech graduate and full-time tech writer, he is known for clear, practical guides and explainers.