事件类型:
Vulnerability
Vulnerability
报告时间:
2026-06-15 22:05:22
2026-06-15 22:05:22
原文内容:
A critical vulnerability chain dubbed SearchLeak (CVE-2026-42824) was discovered in Microsoft 365 Copilot Enterprise, enabling potential one-click data theft via a malicious URL. The attack chained three flaws-prompt injection through the Copilot search parameter, an HTML rendering race condition, and an SSRF issue in Bing’s image search to extract sensitive data from emails, OneDrive, SharePoint, and calendar events. When a victim clicks a crafted link, Copilot is manipulated into retrieving internal data and embedding it in image requests that are silently sent to an attacker-controlled server via Bing. Microsoft has already patched the issue, and no user action is required, but it highlights how combining multiple vulnerabilities can turn AI systems into powerful data exfiltration tools.
A critical vulnerability chain dubbed SearchLeak (CVE-2026-42824) was discovered in Microsoft 365 Copilot Enterprise, enabling potential one-click data theft via a malicious URL. The attack chained three flaws-prompt injection through the Copilot search parameter, an HTML rendering race condition, and an SSRF issue in Bing’s image search to extract sensitive data from emails, OneDrive, SharePoint, and calendar events. When a victim clicks a crafted link, Copilot is manipulated into retrieving internal data and embedding it in image requests that are silently sent to an attacker-controlled server via Bing. Microsoft has already patched the issue, and no user action is required, but it highlights how combining multiple vulnerabilities can turn AI systems into powerful data exfiltration tools.
被攻击国家/地区:
USA
USA
被攻击行业:
Information Technology (IT) Services
Information Technology (IT) Services
被攻击组织:
microsoft
microsoft
被攻击域名:
microsoft.com
microsoft.com
攻击组织:
None
None
信息来源:
openweb
openweb
原文链接:
点击访问
点击访问
原图
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
请登录后查看评论内容