SearchLeak and the New Reality of AI Security
Prompt injection. Data exfiltration. Enterprise AI. Three terms that are rapidly becoming intertwined.
Recent research into the SearchLeak attack against Microsoft 365 Copilot has triggered considerable discussion across the security community. Whilst this is not the first time Copilot and its reach have been used negatively. The technicalities follow a similar pattern, and I believe this will likely not be the last, I initially thought:
“How do we stop SearchLeak?”
However, I think the most appropriate question is:
“How do we detect and respond when AI systems begin behaving in ways that expose sensitive information?”
Understanding SearchLeak
At a high level, SearchLeak demonstrated how an attacker could manipulate Microsoft 365 Copilot Enterprise Search to retrieve sensitive information accessible to a user and subsequently leak it through a chained attack path. As opposed to traditional attacks that exploit operating systems or applications directly, SearchLeak targets something fundamentally different: the trust relationship between users, AI agents, and enterprise data.
The attack effectively turns a search request into a set of instructions that influence how the AI system retrieves and processes information. This is a subtle but important shift.
Historically, applications executed code. Today, AI systems execute intent.
That distinction changes everything.
When web applications became mainstream, organisations eventually realised that input validation mattered. SQL injection became one of the defining security challenges of the early web era. I believe that AI systems are now entering a similar phase.
Traditional applications generally operate within clearly defined boundaries:
- Email accesses email
- File systems access files
- Databases access data
Modern AI assistants operate differently; a single prompt can potentially interact with:
- SharePoint
- OneDrive
- Teams
- Knowledge repositories
- Internal documentation
- Third-party systems
The AI becomes an orchestrator spanning multiple trust boundaries, which creates opportunities for attackers that simply did not exist before.
Why This Matters Beyond Microsoft Copilot
Although SearchLeak specifically targeted Microsoft 365 Copilot, the lessons apply to virtually every enterprise AI platform. The challenge remains the same: how do you secure a system that can reason across multiple data sources simultaneously?
This is no longer purely an application security problem; it is an identity problem, a data governance problem, a monitoring problem. As such, these risks need to be owned by more than just the CISO and Security; the business and its operations collectively need to help manage AI. However, it is increasingly becoming a security operations problem.
The Detection Challenge
One of the most interesting aspects of SearchLeak is that many traditional security controls may see nothing obviously malicious.
From a logging perspective, the activity may appear legitimate:
- User accesses documents
- User performs searches
- User retrieves information
- Browser loads content
The danger emerges when those actions are correlated, IF they are. This is where security individuals and teams must evolve their thinking. The ask from these individuals and teams should be something similar to:
“Is this behaviour consistent with how humans normally work?”
Detecting AI-Driven Data Exfiltration
For organisations using Microsoft Sentinel, several behavioural-detection opportunities arise.
- Unusual Data Retrieval Patterns
Most users access a relatively small set of documents during a short period.
An AI-assisted attack may rapidly retrieve:
- Dozens of files
- Multiple SharePoint sites
- Sensitive content across different repositories
These behaviours can often be identified through near-real-time analytics.
- Cross-System Data Access
A user normally works within a commercial setting.
An AI agent may rapidly pivot between:
- SharePoint
- OneDrive
- Teams
Monitoring for unusually broad access patterns can provide early warning signals.
- Sensitive Information Discovery
If an organisation has implemented Microsoft Purview sensitivity labels, detections can focus on access to:
- Confidential documents
- Highly confidential information
- Financial records
- Identity-related content
- Security documentation
- External Data Transfer Indicators
The final stage of any successful exfiltration attack involves data leaving the environment.
Correlating:
- Sensitive data access
- Large retrieval volumes
- External communications
The Role of Microsoft Sentinel
Many organisations immediately ask whether a Sentinel Near Real Time rule can detect attacks such as SearchLeak.
The answer is both yes and no.
No, because Sentinel cannot magically determine that an AI agent has been manipulated. Yes, because Sentinel can detect the behaviours that successful attacks must generate.
A practical detection strategy might monitor:
- High file access volumes
- Access to multiple SharePoint sites
- Sensitive label interactions
- Unusual user behaviour
- External communications shortly afterwards
Detect the consequences, not the exploit.
This is likely the most effective approach, as AI use increases and behaviour patterns merge, and as the increased use of agentic workflows muddies the waters.
As useful as Sentinel detections are, they should not be viewed as the primary control. The most effective defence remains reducing unnecessary access to data in the first place; every AI assistant ultimately inherits the permissions and data exposure present within the environment.
If SharePoint permissions are excessive, AI will expose that problem.
If sensitive data lacks classification, AI will expose that problem.
If governance has been neglected for years, AI will expose that problem too.
The problem cascades down, and AI doesn’t create most of these risks; it simply accelerates their impact.
Final Thoughts
SearchLeak is unlikely to be remembered because of a single vulnerability.
It will be remembered for highlighting a fundamental change in how organisations must think about security.
We are entering a period where:
- Prompts become attack vectors.
- AI agents become trusted intermediaries.
- Data governance becomes security governance.
- Detection engineering becomes AI security engineering.
The organisations that succeed will not be those that deploy AI the fastest; they will be those that understand how to govern, monitor and secure AI from day one.
Because in the age of AI, the question is no longer whether your data is accessible; it’s whether you know when something starts accessing it differently.