O365 Under Siege: SearchLeak, Device Code Phishing, and the New Copilot Attack Surface

Published: June 17, 2026 | Author: RedSheep Reports

Microsoft 365 is, by most measures, the most widely targeted SaaS platform globally. Hundreds of millions of users authenticate through a single boundary that gates email, identity, file storage, and collaboration. The attacks running against M365 tenants right now are faster, more creative, and harder to catch than anything from even two years ago. And the newest attack surface, Microsoft 365 Copilot, has created an exfiltration shortcut that most security teams haven't planned for.

This month, Varonis Threat Labs publicly disclosed a vulnerability chain in Microsoft 365 Copilot Enterprise called "SearchLeak" (CVE-2026-42824). A single crafted URL click could exfiltrate a victim's entire mailbox, calendar, SharePoint documents, and OneDrive files [1]. The URL pointed to a legitimate microsoft.com domain, which meant traditional anti-phishing filters were unlikely to flag it [1]. This is the third major Copilot exfiltration bug in roughly a year, and we assess it is unlikely to be the last.

SearchLeak: Anatomy of a One-Click Exfiltration Chain

Varonis researcher Dolev Taler identified and chained three individually insufficient flaws into a single devastating attack path [1]:

1. Parameter-to-Prompt (P2P) injection through the q URL parameter, allowing an attacker to inject instructions into Copilot's processing context [1].
2. HTML rendering race condition where an <img> tag fires before the sanitizer catches it, creating a brief window for data exfiltration [1].
3. Content Security Policy bypass via a Bing server-side request forgery (SSRF), routing exfiltrated data through a trusted Microsoft domain [1].

The practical effect: an attacker crafts a URL on a real microsoft.com domain and sends it to the target. One click, and Copilot's privileged access to the user's entire M365 data set takes over. Mailbox content (including access codes and passwords), calendar entries, SharePoint documents, and OneDrive files get sent back to attacker infrastructure [1].

Microsoft patched the flaw server-side. No user action was required [1].

There is a notable scoring disagreement. Microsoft assigned SearchLeak a CVSS base score of 6.5 (medium) while separately labeling it with its maximum severity rating of "critical." The NVD assigned a CVSS of 7.5 (high) [1]. Defenders should note the gap between the numeric CVSS scores and the real-world impact of full data exfiltration from a single click. CVSS doesn't always capture business risk.

Varonis presented a working proof-of-concept. No in-the-wild exploitation has been reported [1].

A Pattern, Not an Anomaly

SearchLeak was not the first Copilot exfiltration vulnerability. Aim Security disclosed EchoLeak (CVE-2025-32711), a zero-click variant targeting Microsoft 365 Copilot, in 2025 [1]. These major exfiltration bugs in Copilot within roughly twelve months paint a clear picture: AI assistants with broad data access permissions create a concentrated point of failure.

The core design tension is straightforward. Copilot needs wide-ranging read access to mailboxes, calendars, SharePoint, and OneDrive to be useful. That same access makes any Copilot vulnerability an automatic bulk exfiltration path. Traditional data loss prevention (DLP) controls weren't designed for an AI intermediary that can read everything and summarize it into a single outbound request.

Who's Targeting M365 Tenants

Multiple distinct threat clusters are actively targeting M365 environments, and they aren't all after the same thing.

Midnight Blizzard (APT29 / Cozy Bear)

Microsoft's most documented adversary against its own platform. Their January 2024 breach of Microsoft's corporate tenant demonstrated the core problem: they accessed executive email accounts by compromising a legacy non-production test tenant account through password spraying, then leveraging a legacy test OAuth application that had elevated access to the Microsoft corporate environment [2]. No zero-day was needed. A misconfigured test account linked to a legacy OAuth application with elevated access was sufficient [2].

Midnight Blizzard has also been linked to device code phishing campaigns targeting M365 users. This technique abuses the OAuth 2.0 device authorization grant flow (intended for devices without browsers, like smart TVs). The attacker initiates a device code authentication flow, then tricks the victim into entering the code at microsoft.com/devicelogin. Once the victim authenticates, the attacker captures the resulting tokens. The tokens bypass MFA entirely because the user already completed the MFA challenge.

Storm-0539

A financially motivated group targeting gift card fraud and retail financial systems through M365. Microsoft threat intelligence has tracked them abusing OAuth app registrations to maintain persistence after initial access. Their playbook focuses on creating or hijacking OAuth applications with mailbox and directory read permissions, giving them persistent access that survives password resets.

Scattered Spider (UNC3944)

This group combines social engineering with technical exploitation. They have used SMS phishing, SIM swapping, and help desk social engineering to bypass MFA and enroll attacker-controlled devices into Entra ID. Their preferred initial access vector is calling the help desk, impersonating an employee, and convincing the operator to reset MFA or enroll a new device.

Commodity Operators and PhaaS Platforms

Bulk credential stuffing and phishing-as-a-service (PhaaS) operations use platforms like EvilProxy and Tycoon 2FA to target M365 tenants with adversary-in-the-middle (AiTM) phishing, intercepting session tokens in real time to bypass MFA.

Separately, Kali365 is a PhaaS platform first observed in April 2026 and the subject of an FBI Public Service Announcement (PSA) in May 2026. Unlike the AiTM platforms above, Kali365 abuses the OAuth 2.0 device code authentication flow to capture access tokens without intercepting credentials. It provides AI-generated phishing lures, automated campaign templates, real-time tracking dashboards, and OAuth token capture capabilities to subscribers, lowering the barrier of entry for less-technical attackers.

Technical Detail: The OAuth and Device Code Kill Chain

The most persistent and dangerous M365 attacks don't exploit software bugs. They exploit trust relationships baked into the identity layer.

OAuth App Abuse

The pattern Midnight Blizzard used against Microsoft itself follows a repeatable kill chain:

1. Initial access via password spray or credential stuffing against accounts without MFA (often test or service accounts) [2].
2. OAuth app compromise: the attacker compromises an existing legacy OAuth app registration with elevated access permissions, or creates additional malicious OAuth applications to expand access [2].
3. Consent grant abuse: the attacker grants admin consent to the app, or uses an app that already has consent, to access mailboxes and files across the tenant [2].
4. Persistent data access: because OAuth tokens refresh automatically, the attacker maintains access even after the compromised account's password is changed [2].

The critical point: OAuth app permissions often outlive the credential compromise that enabled them. Rotating the password doesn't revoke the app's consent.

Device Code Phishing

Device code phishing works because the OAuth 2.0 device authorization flow was designed for input-constrained devices. The attacker:

1. Initiates a device code flow against login.microsoftonline.com.
2. Receives a user code and a polling URL.
3. Sends the user code to the victim via phishing email, Teams message, or social engineering.
4. The victim navigates to microsoft.com/devicelogin, enters the code, and completes MFA.
5. The attacker's polling endpoint receives the access and refresh tokens.

This bypasses MFA, conditional access policies that don't restrict device code flow, and most phishing-resistant authentication methods (unless FIDO2 is enforced and device code flow is blocked at the tenant level).

MITRE ATT&CK Mapping

Copilot Exfiltration Indicators

• Monitor Copilot audit logs for unusual query volumes or queries containing encoded URLs, <img> tags, or prompt injection patterns.
• Watch for outbound network connections from Copilot sessions to non-Microsoft infrastructure, particularly image requests to external domains.
• Baseline normal Copilot usage per user. Alert on sudden spikes in data access volume through the Copilot interface.

OAuth and Device Code Abuse

• Query Entra ID sign-in logs for authenticationProtocol == deviceCode. Any device code authentication from users who shouldn't be using input-constrained devices warrants investigation.
• Audit OAuth app consent grants. Look for apps with Mail.Read, Mail.ReadWrite, Files.Read.All, or Directory.Read.All permissions that were granted recently or by non-admin users.
• Hunt for OAuth apps with consent granted by a single user that access data from multiple mailboxes.
• In Microsoft Sentinel or similar SIEM:

SigninLogs
| where AuthenticationProtocol == "deviceCode"
| where ResultType == 0
| project TimeGenerated, UserPrincipalName, AppDisplayName, IPAddress, DeviceDetail

Credential Spray Detection

• Look for distributed password spray patterns: many accounts targeted with the same password from few IP addresses, followed by a shift to a new password.
• Monitor for successful authentications to legacy or test tenants that precede OAuth app activity in production tenants.

Analysis

Three trends define the current M365 threat picture.

First, Copilot has become a force multiplier for attackers. Every vulnerability in Copilot grants access to everything Copilot can see, which, by design, is most of a user's M365 data. The exfiltration bugs disclosed over the past year (EchoLeak and SearchLeak) all exploited this same architectural property [1]. Microsoft's server-side patching model means defenders can't control the remediation timeline.

Second, OAuth and identity-layer attacks have matured beyond credential theft. Groups like Midnight Blizzard don't need malware or zero-days when misconfigured OAuth apps and device code flows provide persistent, MFA-resistant access [2]. The January 2024 Microsoft breach proved that even Microsoft's own tenant was vulnerable to these techniques.

Third, the commoditization of MFA bypass through platforms like EvilProxy, Tycoon 2FA, and Kali365 has made session and token theft accessible to low-skill operators at scale. AiTM session interception and device code flow abuse are now commodity capabilities, not nation-state techniques.

References

1. BleepingComputer. "New attack turned Microsoft 365 Copilot into 1-click data theft tool." June 2026. https://www.bleepingcomputer.com/news/security/new-attack-turned-microsoft-365-copilot-into-1-click-data-theft-tool/
2. Microsoft Security Blog. "Midnight Blizzard: Guidance for responders on nation-state attack." January 2024. https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/

Hunt Guide: Hunt Report: O365 Under Siege — Copilot Exploitation, Device Code Phishing, and OAuth Abuse Targeting Microsoft 365 Environments

Hypothesis: If Midnight Blizzard, Scattered Spider, APT28, or commodity PhaaS operators (Kali365/EvilProxy/Tycoon 2FA) are actively targeting our Microsoft 365 environment, we expect to observe anomalous device code authentication flows, suspicious OAuth application registrations with excessive permissions, AiTM session token hijacking indicators, Copilot prompt injection patterns, and Outlook exploitation artifacts in Entra ID sign-in logs, Microsoft 365 Unified Audit Logs, Copilot audit logs, and endpoint telemetry.

Intelligence Summary: Multiple threat actors including Midnight Blizzard (APT29), APT28, Scattered Spider, and commodity PhaaS operators are actively exploiting Microsoft 365 environments through device code phishing, OAuth application abuse, AiTM session hijacking, and a newly disclosed Copilot prompt injection vulnerability chain (CVE-2026-42824 'SearchLeak'). The commoditization of device code phishing through platforms like Kali365 has rendered most MFA implementations ineffective, while recurring Copilot exfiltration vulnerabilities demonstrate that AI assistants with broad data access create persistent single points of failure. Critical Outlook vulnerabilities CVE-2023-23397 and CVE-2024-21413 remain actively exploited against unpatched environments.

Confidence: High | Priority: Critical

Scope

• Networks: All Microsoft 365 / Entra ID tenants including production, test, and development tenants. Special attention to tenants with Microsoft 365 Copilot Enterprise enabled. All Exchange Online mailboxes, SharePoint Online sites, OneDrive accounts. Network perimeter for outbound SMB (TCP 445) and WebDAV traffic.
• Timeframe: 90-day lookback recommended (minimum 30 days). Device code authentication and OAuth app registration hunts should cover the full available audit log retention period. For CVE-2023-23397, lookback to initial disclosure (March 2023) if historical logs are available.
• Priority Systems: Executive and VIP mailboxes, IT administrator accounts, Global Admin / Privileged Role Administrator accounts, service accounts with OAuth application registrations, users with Microsoft 365 Copilot Enterprise licenses, legacy/test tenants with OAuth applications, accounts with legacy authentication protocols still enabled.

MITRE ATT&CK Techniques

T1528 — Steal Application Access Token (Credential Access) [P1]

Kali365 and similar PhaaS platforms exploit Microsoft's legitimate device code authentication flow (microsoft.com/devicelogin) to trick users into authorizing attacker-controlled devices, capturing OAuth tokens that bypass MFA. Midnight Blizzard has also used this technique extensively. Captured tokens persist for days to weeks depending on tenant configuration.

Splunk SPL:

index=azure sourcetype="azure:aad:signin" OR sourcetype="ms:aad:signin" AuthenticationProtocol="deviceCode"
| eval auth_time=_time
| eval user=UserPrincipalName
| eval src_ip=IPAddress
| eval location=LocationDetails.city.",".LocationDetails.state.",".LocationDetails.countryOrRegion
| eval app=AppDisplayName
| eval status=ResultType
| where status=0
| stats count earliest(auth_time) as first_seen latest(auth_time) as last_seen dc(src_ip) as unique_ips values(src_ip) as ip_list values(location) as locations values(app) as apps by user
| where count > 0
| sort - count
| table user count first_seen last_seen unique_ips ip_list locations apps

Elastic KQL:

event.dataset:"azure.signinlogs" AND azure.signinlogs.properties.authentication_protocol:"deviceCode" AND event.outcome:"success"

Sigma Rule:

title: Device Code Authentication Flow Detected in Entra ID
id: a1b2c3d4-e5f6-7890-abcd-ef1234567890
status: experimental
author: RedSheep Security/Stone
date: 2026/06/25
description: Detects successful device code authentication flows in Azure AD/Entra ID sign-in logs, which may indicate device code phishing attacks such as those used by Kali365 and Midnight Blizzard.
references:
  - https://www.ic3.gov/PSA/2026/PSA260521
  - https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/
logsource:
  product: azure
  service: signinlogs
detection:
  selection:
    properties.authenticationProtocol: 'deviceCode'
    ResultType: 0
  condition: selection
falsepositives:
  - Legitimate device code flows for IoT devices, conference room equipment, or CLI-based tools (Azure CLI, PowerShell)
  - Users authenticating from devices without browsers
level: high
tags:
  - attack.credential_access
  - attack.t1528

Tune by establishing a baseline of legitimate device code auth users (e.g., Azure CLI admins, conference room devices). Any device code flow from a user who does not normally use this method is high-priority. Consider Conditional Access policies to block device code flow entirely for users who do not require it.

T1550.001 — Use Alternate Authentication Material: Application Access Token (Defense Evasion, Lateral Movement) [P1]

After capturing OAuth tokens via device code phishing or AiTM attacks, threat actors use stolen application access tokens to authenticate to Microsoft 365 services (Exchange Online, SharePoint, OneDrive, Graph API) without needing the user's password or MFA. Token refresh activity from IP addresses different from the initial authentication IP is a key indicator.

Splunk SPL:

index=azure sourcetype="azure:aad:signin" OR sourcetype="ms:aad:signin" ResultType=0
| eval user=UserPrincipalName
| eval src_ip=IPAddress
| eval auth_method=AuthenticationMethodsUsed
| eval token_type=TokenIssuerType
| eval app=AppDisplayName
| eval is_interactive=IsInteractive
| stats dc(src_ip) as unique_ips values(src_ip) as ip_list values(app) as apps min(_time) as first_auth max(_time) as last_auth by user
| where unique_ips > 3
| eval time_window=last_auth - first_auth
| where time_window < 3600
| sort - unique_ips
| table user unique_ips ip_list apps first_auth last_auth time_window

Elastic KQL:

event.dataset:"azure.signinlogs" AND event.outcome:"success" AND NOT azure.signinlogs.properties.is_interactive:true

Sigma Rule:

title: OAuth Token Used From Multiple IP Addresses Within Short Timeframe
id: b2c3d4e5-f6a7-8901-bcde-f12345678901
status: experimental
author: RedSheep Security/Stone
date: 2026/06/25
description: Detects scenarios where a user's session tokens are used from multiple distinct IP addresses within a short time window, indicating potential token theft via device code phishing or AiTM attacks.
references:
  - https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/
logsource:
  product: azure
  service: signinlogs
detection:
  selection:
    ResultType: 0
  condition: selection
  # Note: Sigma alone cannot perform multi-event IP correlation. This rule tags successful non-interactive sign-ins for downstream correlation in SIEM.
falsepositives:
  - Users on VPN split tunnels or mobile networks with frequently changing IPs
  - CDN or proxy-based authentication flows
level: medium
tags:
  - attack.defense_evasion
  - attack.lateral_movement
  - attack.t1550.001

Focus on non-interactive sign-in events where the source IP differs from the most recent interactive authentication. Correlate with impossible travel detection. Tokens used from cloud VPS provider ASNs (DigitalOcean, Vultr, AWS, Azure non-tenant) are high-confidence indicators.

T1098.001 — Account Manipulation: Additional Cloud Credentials (Persistence) [P1]

Midnight Blizzard and Storm-0539 register or hijack OAuth applications with excessive permissions (mail.read, mail.readwrite, files.read.all) and add credentials/secrets to those apps for persistent backdoor access. The Midnight Blizzard breach of Microsoft's own corporate tenant exploited a legacy test OAuth app with mail.read permissions.

Splunk SPL:

index=azure sourcetype="azure:aad:audit" OR sourcetype="ms:aad:audit"
(OperationName="Add service principal credentials" OR OperationName="Update application – Certificates and secrets management" OR OperationName="Add app role assignment to service principal" OR OperationName="Consent to application" OR OperationName="Add OAuth2PermissionGrant")
| eval actor=InitiatedBy.user.userPrincipalName
| eval target_app=TargetResources{}.displayName
| eval permissions=TargetResources{}.modifiedProperties{}.newValue
| eval result=Result
| stats count values(OperationName) as operations values(target_app) as target_apps values(permissions) as granted_permissions by actor _time
| sort - _time
| table _time actor operations target_apps granted_permissions count

Elastic KQL:

event.dataset:"azure.auditlogs" AND (azure.auditlogs.operation_name:"Add service principal credentials" OR azure.auditlogs.operation_name:"Consent to application" OR azure.auditlogs.operation_name:"Add OAuth2PermissionGrant" OR azure.auditlogs.operation_name:"Update application*Certificates and secrets*")

Sigma Rule:

title: Suspicious OAuth Application Credential Addition or Consent Grant
id: c3d4e5f6-a7b8-9012-cdef-123456789012
status: experimental
author: RedSheep Security/Stone
date: 2026/06/25
description: Detects the addition of credentials to OAuth/service principal applications or new consent grants, which may indicate persistence establishment as seen in the Midnight Blizzard attack against Microsoft corporate tenant.
references:
  - https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/
logsource:
  product: azure
  service: auditlogs
detection:
  selection_cred_add:
    OperationName|contains:
      - 'Add service principal credentials'
      - 'Certificates and secrets management'
  selection_consent:
    OperationName|contains:
      - 'Consent to application'
      - 'Add OAuth2PermissionGrant'
  condition: selection_cred_add or selection_consent
falsepositives:
  - Legitimate application registrations by IT administrators
  - Automated CI/CD pipeline credential rotation
level: high
tags:
  - attack.persistence
  - attack.t1098.001

Prioritize alerts where the OAuth app has mail.read, mail.readwrite, files.read.all, or user.read.all permissions. Cross-reference with known application inventory. New apps registered by non-admin users or apps with credentials added after a long dormancy period are high-priority.

T1566.002 — Phishing: Spearphishing Link (Initial Access) [P2]

Device code phishing, AiTM phishing via EvilProxy/Tycoon 2FA, and SearchLeak delivery all rely on sending victims a link. Device code phishing links point to Microsoft's legitimate microsoft.com/devicelogin page, making them extremely difficult to filter. EvilProxy and Tycoon 2FA use attacker-controlled domains that proxy Microsoft's real login page.

Splunk SPL:

index=email OR index=proxy sourcetype="stream:http" OR sourcetype="o365:management:activity"
(url="*microsoft.com/devicelogin*" OR url="*login.microsoftonline.com*" OR url="*microsoft.com/common/oauth2/deviceauth*")
| eval sender=src_user
| eval recipient=dest_user
| eval click_time=_time
| stats count by sender recipient url click_time
| sort - click_time
| table click_time sender recipient url count

Elastic KQL:

(url.full:*microsoft.com\/devicelogin* OR url.full:*deviceauth*) AND event.category:"email"

Sigma Rule:

title: Device Code Phishing URL in Email or Web Proxy
id: d4e5f6a7-b8c9-0123-defa-234567890123
status: experimental
author: RedSheep Security/Stone
date: 2026/06/25
description: Detects URLs containing Microsoft device code authentication endpoints in email or proxy logs, which may indicate device code phishing delivery.
references:
  - https://www.ic3.gov/PSA/2026/PSA260521
logsource:
  category: proxy
detection:
  selection:
    c-uri|contains:
      - 'microsoft.com/devicelogin'
      - 'microsoft.com/common/oauth2/deviceauth'
  condition: selection
falsepositives:
  - Legitimate IT documentation or instructions referencing device code flow
  - Actual device code flows for legitimate IoT/CLI scenarios
level: medium
tags:
  - attack.initial_access
  - attack.t1566.002

This query has a higher false positive rate since microsoft.com/devicelogin is a legitimate Microsoft URL. Correlate with subsequent device code authentication events from the same user within 5-15 minutes. If a user receives an email containing this URL and then completes a device code auth flow, that is a high-confidence indicator of compromise.

T1539 — Steal Web Session Cookie (Credential Access) [P1]

AiTM phishing frameworks (EvilProxy, Tycoon 2FA) intercept session tokens in real time by proxying the user's authentication to Microsoft's real login page. The attacker captures the authenticated session cookie/token and replays it from their own infrastructure. Key indicator: session token used from a different IP than where authentication occurred.

Splunk SPL:

index=azure sourcetype="azure:aad:signin" OR sourcetype="ms:aad:signin" ResultType=0
| eval user=UserPrincipalName
| eval src_ip=IPAddress
| eval city=LocationDetails.city
| eval country=LocationDetails.countryOrRegion
| eval is_interactive=IsInteractive
| eval session_id=CorrelationId
| eval mfa_detail=MfaDetail.authMethod
| sort 0 user _time
| streamstats window=2 current=t values(src_ip) as recent_ips dc(src_ip) as ip_count values(country) as recent_countries dc(country) as country_count by user
| where ip_count > 1 AND country_count > 1
| eval impossible_travel="POSSIBLE"
| table _time user src_ip city country is_interactive mfa_detail recent_ips recent_countries impossible_travel

Elastic KQL:

event.dataset:"azure.signinlogs" AND event.outcome:"success" AND azure.signinlogs.properties.risk_level_during_signin:("high" OR "medium")

Sigma Rule:

title: AiTM Session Token Replay - Different IP After Authentication
id: e5f6a7b8-c9d0-1234-efab-345678901234
status: experimental
author: RedSheep Security/Stone
date: 2026/06/25
description: Detects potential AiTM session token theft by identifying successful authentications followed by token use from a different IP/geography, as seen with EvilProxy and Tycoon 2FA phishing frameworks.
references:
  - https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/
logsource:
  product: azure
  service: signinlogs
detection:
  selection:
    ResultType: 0
    RiskLevelDuringSignIn|contains:
      - 'high'
      - 'medium'
  condition: selection
falsepositives:
  - Users on VPN with dynamic egress IPs
  - Mobile users transitioning between networks
level: high
tags:
  - attack.credential_access
  - attack.t1539

Focus on cases where the initial interactive authentication IP differs from subsequent non-interactive token use IPs. ASN mismatches (e.g., auth from corporate ISP, token use from cloud hosting provider) are the strongest signal. Correlate with MFA method used — if the user completed MFA but the token is immediately used from a different country, this is very likely AiTM.

T1659 — Content Injection (Initial Access) [P2]

CVE-2026-42824 (SearchLeak) chains a Parameter-to-Prompt (P2P) injection through the 'q' URL parameter into Microsoft 365 Copilot, an HTML rendering race condition, and a CSP bypass via Bing SSRF to exfiltrate mailbox content, calendar data, SharePoint documents, and OneDrive files. While patched server-side, the attack pattern will likely recur in AI assistants with broad data access.

Splunk SPL:

index=o365 sourcetype="ms:o365:management" Workload=Copilot OR Workload="MicrosoftCopilot"
| eval user=UserId
| eval operation=Operation
| eval item_count=mvcount(AffectedItems)
| eval referrer=Referrer
| stats count sum(item_count) as total_items dc(operation) as operation_types values(operation) as operations by user referrer _time
| where total_items > 50 OR count > 20
| sort - total_items
| table _time user referrer operations total_items count

Elastic KQL:

event.dataset:"o365.audit" AND o365.audit.Workload:"Copilot" AND (o365.audit.Operation:"CopilotInteraction" OR o365.audit.Operation:"SearchQueryPerformed")

Sigma Rule:

title: Potential Copilot Prompt Injection via URL Parameter
id: f6a7b8c9-d0e1-2345-fabc-456789012345
status: experimental
author: RedSheep Security/Stone
date: 2026/06/25
description: Detects potential prompt injection attacks against Microsoft 365 Copilot via URL parameters, as demonstrated by the SearchLeak vulnerability (CVE-2026-42824). Monitors for unusual Copilot data access patterns that may indicate exploitation.
references:
  - https://www.bleepingcomputer.com/news/security/new-attack-turned-microsoft-365-copilot-into-1-click-data-theft-tool/
logsource:
  product: m365
  service: audit
detection:
  selection_copilot:
    Workload: 'Copilot'
  selection_bulk:
    Operation|contains:
      - 'SearchQueryPerformed'
      - 'FileAccessed'
      - 'MailItemsAccessed'
  condition: selection_copilot and selection_bulk
falsepositives:
  - Legitimate Copilot usage generating bulk data access for business purposes
  - Copilot-driven search and summarization tasks
level: medium
tags:
  - attack.initial_access
  - attack.t1659

SearchLeak was patched server-side by Microsoft but the attack pattern is expected to recur. Monitor for Copilot audit events showing bulk retrieval of mailbox content, calendar data, and SharePoint documents from external referrers. URL-encoded prompt injection patterns in the 'q' parameter are a key indicator. This is an emerging detection area with limited community tuning guidance.

T1114 — Email Collection (Collection) [P1]

SearchLeak enabled full mailbox exfiltration via Copilot's privileged access. Midnight Blizzard accessed executive email accounts through OAuth app abuse with mail.read permissions. Both attack patterns result in bulk email access that should be detectable in unified audit logs.

Splunk SPL:

index=o365 sourcetype="ms:o365:management" (Operation="MailItemsAccessed" OR Operation="SearchQueryInitiated" OR Operation="Send" OR Operation="MessageBind")
| eval user=UserId
| eval client_app=ClientAppId
| eval ip=ClientIP
| eval is_app_access=case(LogonType=="Owner", "User", LogonType=="Delegate", "Delegate", LogonType=="Admin", "Admin", 1=1, "AppAccess")
| stats count dc(ip) as unique_ips values(ip) as ip_list values(client_app) as apps by user is_app_access Operation
| where (count > 100 AND is_app_access="AppAccess") OR unique_ips > 3
| sort - count
| table user is_app_access Operation count unique_ips ip_list apps

Elastic KQL:

event.dataset:"o365.audit" AND (o365.audit.Operation:"MailItemsAccessed" OR o365.audit.Operation:"SearchQueryInitiated") AND o365.audit.LogonType:"0"

Sigma Rule:

title: Bulk Mailbox Access via Application Permissions
id: a7b8c9d0-e1f2-3456-abcd-567890123456
status: experimental
author: RedSheep Security/Stone
date: 2026/06/25
description: Detects bulk email access operations performed via application-level permissions, which may indicate OAuth app abuse for email exfiltration as seen in the Midnight Blizzard attack against Microsoft.
references:
  - https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/
logsource:
  product: m365
  service: audit
detection:
  selection:
    Operation:
      - 'MailItemsAccessed'
      - 'MessageBind'
    LogonType: 0
  condition: selection
falsepositives:
  - Legitimate service accounts and backup applications accessing mailboxes
  - eDiscovery operations
  - Email migration tools
level: high
tags:
  - attack.collection
  - attack.t1114

LogonType 0 indicates application-level access (as opposed to user interactive). Focus on application IDs not in your approved list. Midnight Blizzard used a legacy test OAuth app — hunt for old/unused app registrations with mail.read permissions that suddenly show activity.

T1213 — Data from Information Repositories (Collection) [P2]

SearchLeak enabled exfiltration of SharePoint documents and OneDrive files via Copilot's broad data access. Any identity compromise in M365 now potentially includes access to all files the user can reach across SharePoint and OneDrive.

Splunk SPL:

index=o365 sourcetype="ms:o365:management" Workload=SharePoint OR Workload=OneDrive
(Operation="FileDownloaded" OR Operation="FileSyncDownloadedFull" OR Operation="FileAccessed" OR Operation="SearchQueryPerformed")
| eval user=UserId
| eval src_ip=ClientIP
| eval file=SourceFileName
| eval site=SiteUrl
| bucket _time span=1h
| stats count dc(file) as unique_files dc(site) as unique_sites values(site) as sites by user src_ip _time
| where unique_files > 50 OR unique_sites > 5
| sort - unique_files
| table _time user src_ip unique_files unique_sites sites count

Elastic KQL:

event.dataset:"o365.audit" AND (o365.audit.Workload:"SharePoint" OR o365.audit.Workload:"OneDrive") AND (o365.audit.Operation:"FileDownloaded" OR o365.audit.Operation:"FileAccessed") AND event.outcome:"success"

Sigma Rule:

title: Bulk SharePoint/OneDrive File Access Indicating Data Exfiltration
id: b8c9d0e1-f2a3-4567-bcde-678901234567
status: experimental
author: RedSheep Security/Stone
date: 2026/06/25
description: Detects bulk file download or access operations across SharePoint and OneDrive, which may indicate data exfiltration following identity compromise or Copilot exploitation.
references:
  - https://www.bleepingcomputer.com/news/security/new-attack-turned-microsoft-365-copilot-into-1-click-data-theft-tool/
logsource:
  product: m365
  service: audit
detection:
  selection:
    Workload|contains:
      - 'SharePoint'
      - 'OneDrive'
    Operation:
      - 'FileDownloaded'
      - 'FileSyncDownloadedFull'
  condition: selection
falsepositives:
  - Legitimate bulk file operations (migration, backup, sync)
  - OneDrive client sync activity
level: medium
tags:
  - attack.collection
  - attack.t1213

Establish baselines for normal file access volumes per user. Investigate any user accessing files across multiple site collections they haven't historically accessed. Correlate with recent device code auth events or OAuth app consent grants for high-confidence compound detections.

Indicators of Compromise

IOC Sweep Queries (Splunk):

index=email OR index=proxy (url="*microsoft.com/devicelogin*" OR url="*microsoft.com/common/oauth2/deviceauth*" OR body="*devicelogin*")
| eval sender=src_user OR from
| eval recipient=dest_user OR to
| table _time sender recipient url subject

index=o365 sourcetype="ms:o365:management" Workload=Copilot
| eval referrer=Referrer
| where isnotnull(referrer) AND NOT match(referrer, "^https?://(www\.)?microsoft\.com")
| table _time UserId referrer Operation

YARA Rules

M365_DeviceCode_Phishing_Lure — Detects email messages or documents containing device code phishing lure content targeting Microsoft 365 users, including references to microsoft.com/devicelogin combined with urgency indicators.

rule M365_DeviceCode_Phishing_Lure
{
    meta:
        author = "RedSheep Security/Stone"
        description = "Detects potential device code phishing lure documents or emails targeting Microsoft 365 users"
        date = "2026-06-25"
        reference = "https://www.ic3.gov/PSA/2026/PSA260521"
        severity = "high"
    strings:
        $url1 = "microsoft.com/devicelogin" ascii wide nocase
        $url2 = "aka.ms/devicelogin" ascii wide nocase
        $url3 = "/common/oauth2/deviceauth" ascii wide nocase
        $code_prompt1 = "enter the code" ascii wide nocase
        $code_prompt2 = "enter this code" ascii wide nocase
        $code_prompt3 = "device code" ascii wide nocase
        $code_prompt4 = "verification code" ascii wide nocase
        $urgency1 = "expires in" ascii wide nocase
        $urgency2 = "act now" ascii wide nocase
        $urgency3 = "immediately" ascii wide nocase
        $urgency4 = "urgent" ascii wide nocase
        $m365_1 = "Microsoft 365" ascii wide nocase
        $m365_2 = "Microsoft Teams" ascii wide nocase
        $m365_3 = "Office 365" ascii wide nocase
    condition:
        any of ($url*) and any of ($code_prompt*) and (any of ($urgency*) or any of ($m365_*))
}

Outlook_CVE_2023_23397_Calendar_Exploit — Detects MSG or calendar file artifacts containing UNC path references in PidLidReminderFileParameter, indicative of CVE-2023-23397 exploitation.

rule Outlook_CVE_2023_23397_Calendar_Exploit
{
    meta:
        author = "RedSheep Security/Stone"
        description = "Detects potential CVE-2023-23397 exploitation artifacts in Outlook MSG/calendar files containing UNC paths in reminder parameters"
        date = "2026-06-25"
        reference = "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397"
        severity = "critical"
    strings:
        $msg_header = { D0 CF 11 E0 A1 B1 1A E1 }
        $unc_path1 = "\\\\" ascii wide
        $unc_path2 = { 5C 00 5C 00 }
        $reminder1 = "PidLidReminderFileParameter" ascii wide
        $reminder2 = "dispidReminderFileParam" ascii wide
        $ipm_appt = "IPM.Appointment" ascii wide
        $ipm_task = "IPM.Task" ascii wide
    condition:
        $msg_header at 0 and any of ($unc_path*) and (any of ($reminder*) or any of ($ipm_*))
}

Outlook_CVE_2024_21413_MonikerLink — Detects files containing MonikerLink exploitation patterns (file:// moniker with ! bypass character) associated with CVE-2024-21413.

rule Outlook_CVE_2024_21413_MonikerLink
{
    meta:
        author = "RedSheep Security/Stone"
        description = "Detects potential CVE-2024-21413 MonikerLink exploitation patterns in files"
        date = "2026-06-25"
        reference = "https://research.checkpoint.com/2024/the-risks-of-the-monikerlink-bug-in-microsoft-outlook-and-the-big-picture/"
        severity = "critical"
    strings:
        $moniker1 = /file:\/\/[^\s"']+![^\s"']+/ ascii wide nocase
        $moniker2 = { 66 00 69 00 6C 00 65 00 3A 00 2F 00 2F 00 }
        $bang = "!" ascii wide
        $href = "href=" ascii wide nocase
        $rtf_obj = "\objautlink" ascii
        $rtf_obj2 = "\objupdate" ascii
    condition:
        ($moniker1 or ($moniker2 and $bang)) and ($href or any of ($rtf_obj*))
}

Suricata Rules

SID 2026001 — Detects outbound connections to Microsoft device code authentication endpoint, which may indicate device code phishing token redemption from compromised host.

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"HUNT - Microsoft Device Code Auth Endpoint Access - Possible Device Code Phishing"; flow:established,to_server; http.uri; content:"/common/oauth2/deviceauth"; http.host; content:"login.microsoftonline.com"; classtype:social-engineering; sid:2026001; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag DeviceCodePhishing, signature_severity Major;)

SID 2026002 — Detects potential CVE-2023-23397 exploitation via outbound SMB/WebDAV connections triggered by Outlook calendar reminders with UNC paths.

alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"HUNT - Outbound SMB to External Host - Possible CVE-2023-23397 NTLM Hash Leak"; flow:established,to_server; content:"|ff 53 4d 42|"; offset:0; depth:4; classtype:attempted-info-leak; sid:2026002; rev:1; metadata:attack_target Client_Endpoint, cve CVE_2023_23397, deployment Perimeter, signature_severity Critical;)

SID 2026003 — Detects potential CVE-2024-21413 MonikerLink exploitation via outbound file:// moniker access patterns.

alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"HUNT - Outbound SMB Connection After file:// Moniker - Possible CVE-2024-21413 MonikerLink"; flow:established,to_server; content:"|ff 53 4d 42|"; depth:4; threshold:type limit, track by_src, count 1, seconds 60; classtype:attempted-user; sid:2026003; rev:1; metadata:attack_target Client_Endpoint, cve CVE_2024_21413, deployment Perimeter, signature_severity Critical;)

SID 2026004 — Detects Microsoft Graph API token requests which may indicate OAuth token abuse for email/file exfiltration.

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"HUNT - Microsoft Graph API Access from Non-Standard User Agent"; flow:established,to_server; http.host; content:"graph.microsoft.com"; http.header; content:"Authorization:"; content:"Bearer"; http.user_agent; content:!"Microsoft"; content:!"Outlook"; content:!"Teams"; classtype:policy-violation; sid:2026004; rev:1; metadata:attack_target Cloud_Service, deployment Perimeter, tag OAuthAbuse, signature_severity Major;)

Data Source Requirements

Mitigations & Recommendations

Curated baseline: APT29 / Midnight Blizzard; library archetype

The curated playbook thoroughly covers APT29's identity-centric tradecraft: password spray, MFA fatigue, OAuth consent abuse, service principal credential abuse, mailbox delegation persistence, legacy auth, and AD FS/Connect crossover. Genuinely new tradecraft in this incident includes Microsoft 365 Copilot exploitation via SearchLeak (CVE-2026-42824), device code authentication phishing (microsoft.com/devicelogin abuse), and AiTM session token theft via EvilProxy/Tycoon 2FA reverse proxies — none of which are addressed by the existing playbook's identity/OAuth focus.

Established mitigations (curated):

• Coordinated eviction kickoff (CISO + Identity + IR retainer).
• Disable all compromised accounts simultaneously; revoke all sessions/tokens.
• Revoke ALL OAuth consents granted during the attacker window. Review and remove malicious service principal credentials.
• Remove any mailbox delegations, ApplicationImpersonation role assignments, and forwarding rules set by attacker.
• Rotate credentials for ALL service principals that had broad permissions, even if not confirmed touched.
• Block legacy authentication tenant-wide via conditional access.

Established detection guidance (curated):

• DO NOT immediately disable accounts or trigger tenant-wide visible changes. APT29 monitors telemetry. Escalate to CISO for covert response.
• Password spray hunt: many users attempted from same IPs, distinctive user agents.
• MFA fatigue hunt: many MFA prompts for one user, eventual success.
• OAuth application consent audit: multi-tenant apps with MS Graph permissions requested recently.
• Service principal credentials added recently.
• Mail delegate / forward / ApplicationImpersonation role grants (mailbox access persistence).

Net-new from this incident:

• Treat Microsoft 365 Copilot (and similar AI assistants) as a privileged data-access identity in its own right: log, alert, and DLP-scope its mailbox/SharePoint/OneDrive reads, especially when prompts originate from URL parameters or external web content.
• Add the device code authentication flow to the high-risk-protocol list alongside legacy auth; block by default and allow only via narrowly scoped Conditional Access.
• Assume MFA-protected accounts can still be compromised via AiTM reverse proxies (EvilProxy/Tycoon 2FA); accelerate the move to phishing-resistant FIDO2/passkey for all users, not only privileged ones, and enable token protection / CAE.
• Build detections for legitimate-domain phishing (microsoft.com/devicelogin, Copilot URLs with prompt-injection parameters) since domain reputation filters will not catch them.
• Disable or tightly scope the device code authentication flow via Conditional Access (block device code flow except for explicit, named device-bootstrap scenarios). (Why: T1528 / T1566.002 — Kali365 and Storm-2372 abuse the device code flow; not addressed by curated legacy-auth block.)
• Revoke all refresh tokens and force re-authentication for users who interacted with suspect Copilot prompts or device code/AiTM sign-ins; require token binding / continuous access evaluation where supported. (Why: T1539 / T1550.001 — stolen session/refresh tokens persist beyond password reset.)
• Temporarily restrict Microsoft 365 Copilot access for privileged/executive users until SearchLeak mitigations are confirmed; disable Copilot web/Bing grounding where feasible. (Why: T1659 / T1213 / T1114 — Copilot is the exfiltration vector in SearchLeak.)
• Deploy URL/click-time inspection rules that flag links to microsoft.com/devicelogin and to Copilot endpoints carrying 'q=' or other prompt-injection parameters from external senders. (Why: T1566.002 / T1528 / T1659 — phishing lures use legitimate microsoft.com URLs that bypass standard reputation filters.)
• Detect: Hunt for device code authentication flow abuse: look for sign-in events with authenticationProtocol='deviceCode' where the user/device pairing is anomalous (user in one geo, device polling from another). (Why: T1528 / T1566.002 — Kali365 PhaaS and Storm-2372 abuse microsoft.com/devicelogin to capture OAuth tokens; not covered by curated spray/MFA-fatigue hunts.)
• Detect: Hunt for AiTM session token replay: identical session tokens or refresh tokens used from two distinct IPs/ASNs within a short window, especially where one IP matches known EvilProxy/Tycoon 2FA infrastructure. (Why: T1539 / T1550.001 — EvilProxy and Tycoon 2FA proxy live authentication and replay session tokens; curated playbook only covers MFA fatigue, not reverse-proxy AiTM.)
• Detect: Audit Microsoft 365 Copilot interaction logs for prompts containing URL-derived content, suspicious 'q=' parameters, or external-origin HTML rendering, and correlate with mass mailbox/SharePoint/OneDrive reads by Copilot service identity. (Why: T1659 / T1114 / T1213 — SearchLeak (CVE-2026-42824) uses Copilot's privileged data access to exfiltrate mail, SharePoint, OneDrive via a single crafted microsoft.com URL.)

Sources

• BleepingComputer: New Attack Turned Microsoft 365 Copilot Into 1-Click Data Theft Tool (SearchLeak/CVE-2026-42824)
• Microsoft Security Response Center: Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard
• FBI IC3 Public Service Announcement PSA260521: Kali365 Device Code Phishing
• Microsoft Security Update Guide: CVE-2023-23397
• Check Point Research: The Risks of the MonikerLink Bug in Microsoft Outlook (CVE-2024-21413)
• Microsoft Learn: Deprecation of Basic Authentication in Exchange Online
• CyberSecurityNews: Reprompt Single-Click Copilot Exploit (Varonis)