答案已發布25 來源
SearchLeak漏洞:一個點擊就令你企業資料外洩 點解Prompt Injection加舊Bug咁得人驚?
SearchLeak(CVE 2026 42824)係一個存在於Microsoft 365 Copilot Enterprise Search嘅「一點擊」資料外洩漏洞鏈,黑客只需引誘受害人撳一條偽裝成正常microsoft.com嘅連結,就可以偷走電郵、行事曆、會議紀錄、SharePoint同OneDrive檔案 [3][26]。 成個攻擊鏈分三層:首先利用「參數轉提示」(Parameter to Prompt Injection)將惡意指令塞入網址嘅q參數,迫Copilot去受害人郵箱搵敏感資料;第二步利用瀏覽器「睇住出」反應嘅時間差,喺伺服器消毒輸出前就偷步觸發<img 標籤;最後利用Bing圖片搜尋嘅CSP白名單信任,將...
215K0
AI 提示
openai.comCreate a landscape editorial hero image for this Studio Global article: What was the SearchLeak vulnerability in Microsoft 365 Copilot Enterprise Search, including the three-bug chain (parameter-to-prompt injecti. Article summary: Here is a complete breakdown of the SearchLeak vulnerability based on disclosures from Varonis Threat Labs and reporting from June 15, 2026.. Topic tags: general, government, academic, general web, user generated. Reference image context from search candidates: Reference image 1: visual subject "# Microsoft says a Microsoft 365 bug causes Copilot to summarize confidential emails since late January 2026, bypassing data loss prevention policies that organizations rely on to" source context "Microsoft says a Microsoft 365 bug causes Copilot to summarize confidential emails since late January 2026, bypassing da" Reference image 2: visual subject "r/microsoft - Micr
2026年6月,Varonis Threat Labs揭開咗一個漏洞嘅面紗,成個故仔仲精彩過間諜小說。呢個被稱為SearchLeak嘅漏洞鏈,存在於Microsoft 365 Copilot企業搜尋功能入面,黑客可以神不知鬼不覺咁偷走你嘅敏感資料——包括電郵、一次性MFA驗證碼、密碼重設連結同已索引嘅檔案——所需要嘅,只係撳一下看似正常嘅microsoft.com連結 。唔使入密碼、唔使撳第二下、更加唔使同AI講任何嘢,撳一下就玩完。最得人驚嘅係,因為條連結本身就host喺微軟自己嘅domain,傳統嘅防釣魚過濾器完全當佢係「自己人」,唔會攔截
。
微軟將呢個漏洞編號為CVE-2026-42824,內部評級係「嚴重」(Critical),好彩喺有任何人真係利用佢犯案之前,微軟已經偷偷喺伺服器嗰邊修復咗,客戶唔使做任何嘢 。但真正嘅重點唔係個修補程式,而係背後嗰個聰明絕頂嘅三層攻擊鏈,同埋佢揭示咗嘅AI安全大問題。
點解SearchLeak咁大件事?
SearchLeak唔係單一一個天塌落嚟咁大嘅Bug,而係由三個較小嘅漏洞一環扣一環咁串連起嚟。單獨睇,任何一個都未必會造成危機;但夾埋一齊,就形成一條無聲無色嘅「一點擊」資料外流管道,可以觸及到已登入用戶透過Microsoft Graph能夠存取到嘅任何嘢:電郵、行事曆邀請、會議紀錄、SharePoint文件同OneDrive檔案 。
Studio Global AI
Search, cite, and publish your own answer
Use this topic as a starting point for a fresh source-backed answer, then compare citations before you share it.
人們還問
「SearchLeak漏洞:一個點擊就令你企業資料外洩 點解Prompt Injection加舊Bug咁得人驚?」的簡短答案是什麼?
SearchLeak(CVE 2026 42824)係一個存在於Microsoft 365 Copilot Enterprise Search嘅「一點擊」資料外洩漏洞鏈,黑客只需引誘受害人撳一條偽裝成正常microsoft.com嘅連結,就可以偷走電郵、行事曆、會議紀錄、SharePoint同OneDrive檔案 [3][26]。
首先要驗證的關鍵點是什麼?
SearchLeak(CVE 2026 42824)係一個存在於Microsoft 365 Copilot Enterprise Search嘅「一點擊」資料外洩漏洞鏈,黑客只需引誘受害人撳一條偽裝成正常microsoft.com嘅連結,就可以偷走電郵、行事曆、會議紀錄、SharePoint同OneDrive檔案 [3][26]。 成個攻擊鏈分三層:首先利用「參數轉提示」(Parameter to Prompt Injection)將惡意指令塞入網址嘅q參數,迫Copilot去受害人郵箱搵敏感資料;第二步利用瀏覽器「睇住出」反應嘅時間差,喺伺服器消毒輸出前就偷步觸發<img 標籤;最後利用Bing圖片搜尋嘅CSP白名單信任,將偷到嘅資料打包送出,全程唔會觸發任何安全警報 [3][4]。
接下來在實務上我該做什麼?
呢單漏洞喺2026年6月由Varonis公佈,微軟內部評為「嚴重」(Critical),但CVSS基本分得6.5分(中等),因為需要用戶互動撳一下。好彩微軟已經喺後台偷偷修復咗,企業同用戶唔使做任何更新 [3][10][23]。
來源
- mallory.aiCritical SearchLeak Flaw in Microsoft 365 Copilot Enabled ...
- varonis.comSearchLeak: How We Turned M365 Copilot Into a One- ...
- thehackernews.comOne-Click Microsoft 365 Copilot Flaw Could Have Let Attackers ...
- thenextweb.comA single click on a Microsoft link could have drained your inbox ...
- cvefeed.ioCVE-2026-42824 - M365 Copilot Information Disclosure ...
- socdefenders.aiCVE-2026-42824 M365 Copilot Information Disclosure Vulnerability
Loading comments...
Comments
0 comments