Two newly detailed attacks show how the AI assistants and agents now woven into everyday work can be quietly turned against their users, leaking sensitive data or running attacker code without an obvious click. Both were documented by Microsoft researchers and compiled in Check Point Research's weekly threat report.
SearchLeak: a poisoned link that makes Copilot talk
The first technique, called SearchLeak, is a prompt injection against Microsoft 365 Copilot Search. Prompt injection is when hidden instructions smuggled into content the AI reads get treated as commands it should follow. With SearchLeak, a single crafted link can trigger those hidden instructions and quietly exfiltrate data, abusing Copilot's ability to fetch images through Bing to smuggle the stolen information out. Researchers showed it could expose emails, authentication codes, and files held in OneDrive or SharePoint. Microsoft has patched the issue as CVE-2026-42824.
AutoJack: a web page that hijacks an AI browsing agent
The second, AutoJack, targets AI browsing agents, the tools that let an AI navigate and act on web pages on your behalf. A malicious page can chain weaknesses in AutoGen Studio's MCP WebSocket interface, including misplaced trust in localhost connections, missing authentication, and unsafe handling of parameters, to escalate from merely being viewed to full remote code execution on the user's machine. In plain terms, visiting the wrong site while an agent is driving the browser could hand an attacker control of the system.
Why it matters
Both attacks share a root cause: AI systems that automatically trust and act on outside content, whether a search result, an email, or a web page. As organizations wire assistants and agents into mailboxes, files, and local tools, that trust becomes an exfiltration and execution path that traditional defenses are not built to see. The pattern echoes earlier agent abuse we have covered, from a zero click prompt injection in Microsoft 365 Copilot to poisoned skill packages that hijack AI agents.
What you should do
- Apply Microsoft's update for CVE-2026-42824 and keep Copilot and its connected services current.
- Treat AI browsing and coding agents as privileged software: restrict the sites and tools they can reach, require authentication on local agent interfaces, and keep agent control surfaces away from untrusted input.
- Limit the data assistants can access by default, and monitor for unusual outbound requests that could signal data being smuggled out through an AI feature.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.