When the AI assistant becomes the data leak: what EchoLeak and SearchLeak teach

Picture an employee clicking a link that unmistakably leads to microsoft.com. No download, no warning, no second click. Seconds later, email contents, MFA codes and confidential SharePoint files are at the attacker's server. That is exactly what SearchLeak describes — a vulnerability in Microsoft 365 Copilot disclosed on 15 June 2026 by Varonis (Varonis Threat Labs).

And it is not an isolated case. A year earlier, EchoLeak showed that a single email — with no click at all — was enough to make the same assistant leak data. In between sit further cases at Salesforce and Grafana. The pattern matters more than any single patch. Let's look closely — soberly, and without security salvation promises.

The lethal trifecta: three conditions that make every attack possible

Developer Simon Willison captured the problem on 16 June 2025 in a formula, the "lethal trifecta": an AI agent becomes dangerous when three things come together — access to private data, exposure to untrusted content, and the ability to communicate externally (source). Only the combination is lethal: an attacker injects a hidden instruction through one of many channels (untrusted content), the model has access to your mailbox and files (private data), and it can send the loot out via a network request (external communication).

The crucial point is that the trifecta is conjunctive: all three legs must be present. Remove one, and the concrete chain breaks. And the most controllable leg is external communication — the channel through which stolen data leaves in the first place.

Anatomy of a leak: EchoLeak and SearchLeak

Both attacks hit the same assistant and followed the same blueprint: instruction in, data out — through a channel that looked trustworthy to the security model.

EchoLeak — with no click at all (2025)

EchoLeak (CVE-2025-32711, rated critical at CVSS 9.3 by Microsoft, 7.5 by the NVD) was discovered by Aim Labs and disclosed on 11 June 2025. It is considered the first documented zero-click attack on a production AI system: the attacker simply sends an email with hidden instructions. When the victim later asks Copilot something work-related, the assistant pulls that email into its context via retrieval — and executes the instruction. Aim calls the principle "LLM Scope Violation": untrusted input makes the model disclose trusted, privileged data (analysis). Exfiltration happened via an auto-loaded markdown image whose URL carried the stolen data; a trusted Microsoft domain served as a detour to bypass the Content Security Policy. Microsoft fixed it server-side; no exploitation in the wild is known.

SearchLeak — one click is enough (June 2026)

SearchLeak (CVE-2026-42824) moved the attack into Copilot Enterprise Search. Its three-step chain is instructive because it fuses classic web bugs with AI bugs:

1. Parameter-to-prompt injection: the q parameter of the search URL is meant for a natural-language question — but Copilot reads whatever sits there as instructions. A crafted URL tells the assistant to search the mailbox and embed contents into an image URL.
2. Render race condition: the browser renders the answer as it arrives. The injected image tag (<img>) fires its request before the sanitizer runs.
3. Bing as an exfiltration proxy: the Content Security Policy only allows images from allowlisted domains — including *.bing.com. Bing's "Search by Image" endpoint fetches a given image URL server-side. So Bing becomes an unwitting exfiltration channel — a classic SSRF hiding behind a legitimate Microsoft service.

Exfiltratable data included email subjects and contents, MFA and one-time codes, calendar data and private SharePoint and OneDrive files — triggered by a single click on a microsoft.com link, with no OAuth approval or second step. Again: fixed server-side, proof of concept only, no known exploitation. One point of context: the press often calls SearchLeak "critical"; the formal CVSS scores, however, are 6.5 (Microsoft) and 7.5 (NVD).

A pattern, not a one-off

Line the cases up and the trajectory becomes visible — from proof of concept to a recurring blueprint across multiple vendors.

For precision: GrafanaGhost (discovered by Noma Security) received no CVE number; the circulating identifier CVE-2026-27876 refers to a different Grafana issue. ForcedLeak is tracked at CVSS 9.4 but without a formal CVE. The lesson is still clear: indirect prompt injection has become a real data-exfiltration vector — and it sits at the very top of the OWASP Top 10 for LLM Applications as LLM01, with data leakage right below as LLM02.

Why classic web bugs now fuse with AI bugs

What is genuinely new about SearchLeak is the composition: an SSRF and a render race condition — both long known — are combined with an AI-specific weakness, namely that an assistant cannot reliably separate instructions from data. Every additional channel the assistant pulls content from (email, DMS, SharePoint, web, URL parameters) widens the attack surface for the second trifecta leg. And every outbound network path — an image, a link, an API call — is a potential exfiltration channel for the third.

What a local, permission-aware AI changes — and what it doesn't

Here is the honest assessment. No design prevents prompt injection entirely — OWASP and security researchers agree there is no reliable 100% prevention. Anyone advertising "immune" or "blocks 99%" misses that an attacker only needs the one attempt that gets through.

What you can influence are two of the three legs of the trifecta:

• Close the exfiltration channel. A local stack with no outbound internet connection has no path to the outside through which stolen data could leave the building. The third — and most controllable — leg is structurally removed. More on our Security & data sovereignty page.
• Retrieve permission-aware. When the model answers only from documents the user is actually authorized to see, the first leg shrinks: even a successful injection reaches only what that user already had access to — not the entire corporate memory.

On top of that, a complete audit trail makes every retrieval traceable. That is exactly how Lokalaise is built: a permission-aware knowledge layer and AI agents that work solely on your own documents and your own hardware — with no external APIs. Why data sovereignty matters beyond security, we covered using cloud sovereignty: BSI C3A: when is a cloud truly sovereign?.

To be honest about the rest of the picture: a local agent with overly broad internal rights can do harm even without the internet (OWASP calls this "Excessive Agency"). Local is no blank cheque — least privilege, approvals and human oversight remain necessary. Defense in depth means weakening several legs at once.

What decision-makers should do now

Three questions get to the core quickly — ask them of every AI assistant in your organization:

1. Exfiltration: Can the assistant open an outbound connection to the open internet — via images, links or API calls? If so, an exfiltration channel exists.
2. Permissions: Does the AI answer strictly only from sources the given user is authorized to see — or does it inherit an over-permissive model?
3. Traceability: Can every access be reviewed after the fact?

If any of these gives you pause, it's worth a closer look. In a short demo we'll show you how a local, permission-aware AI stack concretely shrinks the attack surface in your organization.