
Security researchers have disclosed a serious flaw in Microsoft 365 Copilot Enterprise that could have let attackers quietly steal company data. The vulnerability chain, nicknamed SearchLeak, meant that a single specially crafted link was enough to pull information out of a victim’s mailbox, OneDrive or SharePoint. No file needed opening and no password needed stealing – just one click.
This matters because Copilot sits right on top of the data your team works with every day: emails, contracts, quotes, customer records and shared documents. An AI assistant is only as safe as the permissions and trust placed around it. When the assistant itself can be tricked into reaching into your files, a tool meant to save time can quietly become a back door.
The good news is that this kind of flaw is fixed by the vendor through updates. The job for a business is to make sure those protections actually reach your staff, and that nobody is left exposed in the meantime. It is also a sign of where attacks are heading: as more of us lean on AI tools, criminals are probing them for new ways in. Australians are already being warned that scammers are using AI to crack passwords and gather personal details faster than ever.
Three practical steps for your business
- Keep Microsoft 365 current. Make sure automatic updates and security patches are switched on across every device and account – not just the office PCs.
- Be wary of unexpected links. Treat any link that arrives out of the blue, even from a familiar name, with caution. Most modern attacks start with a single click.
- Review who can access what. Limit Copilot and staff access to only the files and mailboxes each role genuinely needs, so one mistake cannot expose everything.
AI tools like Copilot can be brilliant for productivity, but they widen the surface that needs protecting. A quick review of your settings and permissions goes a long way.
Worried this affects your business? Get a free 15-minute IT check – call Trends IT on 0485 011 911 or visit /contact/.
