Severity: CRITICAL

Researchers discovered a critical three-stage vulnerability chain, dubbed ‘SearchLeak,’ in Microsoft 365 Copilot Enterprise Search. This flaw could allow an attacker to exfiltrate emails, calendar details, and indexed files from a target’s Microsoft 365 account with a single click. The attack was particularly insidious because it leveraged a legitimate microsoft.com domain, bypassing many anti-phishing and URL filtering tools. Microsoft has since patched the vulnerability.

Source: The Hacker News