In the case of Copilot Enterprise Search, Microsoft had a guardrail in place that enclosed the LLM’s search responses inside blocks, presenting it to the browser as text. Varonis researchers found, however, that this wrapping did not apply until after the model finished its thinking phase. The thinking process itself was still rendered as HTML in the user’s browser.
“This is a textbook race condition,” the researchers said. “The guardrail is a post-processing step applied to the final output, but the browser doesn’t wait for ‘final’ — it renders incrementally. By the time the sanitizer activates, the damage is done.”
Microsoft had a second guardrail, the Content Security Policy (CSP), that allows website owners to define what external domains can load resources into the page. In this case, the CSP for m365.cloud.microsoft.com also allowed resources from *.bing.com, Microsoft’s search engine.
