When Your AI Assistant Becomes a Data Leak

Your AI assistant can become one of your biggest data risks.

That is the lesson from Varonis Threat Labs, whose cybersecurity researchers recently disclosed SearchLeak - a vulnerability in Microsoft 365 Copilot Enterprise Search. The researchers showed how Copilot could be tricked into exposing sensitive company data, including emails, 2FA codes, meeting notes, SharePoint documents, and OneDrive files.

The issue has been fixed by Microsoft. But the case shows a larger problem for companies: once AI can search across internal systems, it becomes part of the security architecture.

How SearchLeak worked

The attack started with a normal-looking Microsoft 365 search link. The link pointed to a trusted Microsoft domain, so it did not look like an obvious phishing attempt. But hidden inside the search part of the URL were instructions for Copilot.

When a user clicked the link, Copilot interpreted those hidden instructions. The instructions told Copilot to search the user’s internal company data and place the results inside an image URL.

A second weakness allowed that image request to fire before Microsoft’s safeguards fully wrapped the output. Then Bing was used as a proxy to send the exposed information to a server controlled by the attacker.

In plain language: Copilot was tricked into searching sensitive company data and sending it outside the organization.

The real lesson

SearchLeak did not require breaking into a database. It did not require a malicious plugin or special access rights. The user only had to click a Microsoft 365 link that looked legitimate.

That is why this matters. AI assistants connected to company systems do not just answer questions. They can search emails, files, calendars, documents, and other internal sources using the permissions of the user.

If those systems are not properly limited, logged, and controlled, AI becomes a new way for sensitive information to move through the organization, and potentially out of it.

What companies should take from this

Microsoft has fixed this specific vulnerability. But the broader lesson remains: companies need clear data boundaries before AI is connected to sensitive systems.

That means strict permissions, logging, limits on what AI can retrieve or expose, and clear rules for what requires human approval. AI should only access the data it needs for a specific task, and companies should be able to see what it searched, what it produced, and what happened afterward.

AI can make work faster. But once it can scan company-wide systems, it also creates a new security surface.

That surface needs to be controlled from the start.

About brainbot

brainbot is a Mainz-based company that automates operational processes for small and medium-sized businesses using AI agents: invoice processing, order processing, document processing, and customer communication via AI-powered phone systems. The agents run entirely on-premises or in the customer's private cloud and are integrated into existing systems such as ERP or DMS, rather than replacing them. All operational data remains on-premises, is GDPR-compliant, and is inaccessible to U.S. hyperscalers. The brainbot integration team handles the complete integration into the customer's existing system landscape. brainbot offers dedicated AI infrastructure without external dependencies, particularly for companies subject to NIS2 requirements and operators of critical infrastructure.