SearchLeak: Microsoft 365 Copilot Flaw Let One Click Leak Enterprise Data

by ddos · June 18, 2026

SearchLeak CVE-2026-42824 Microsoft 365 Copilot vulnerability

A single link to a trusted Microsoft domain could quietly turn Copilot into a data exfiltration tool. Varonis Threat Labs disclosed this flaw, naming it SearchLeak. The chain let an attacker steal emails, MFA codes, meeting details, and private files after just one click.

A Three-Stage Vulnerability Chain

Microsoft assigned the flaw CVE-2026-42824 and gave it a max severity rating of critical. The issue affects Microsoft 365 Copilot Enterprise specifically, not the consumer version of Copilot.

SearchLeak is not a single bug. Instead, it combines a relatively new class of AI-specific vulnerability with two classic web security bugs. The first is known as Parameter-to-Prompt Injection. The other two are an HTML injection race condition and a server-side request forgery. Each weakness on its own would likely cause little harm. Chained together, however, they create a complete attack path.

How the Attack Works

The first stage begins with a normal feature. Microsoft 365 Copilot Search accepts a q parameter in its URL, meant for natural language search queries. Varonis found that this parameter does more than search. Whatever text appears in it gets treated as an instruction that Copilot will follow.

This meant an attacker could craft a link instructing Copilot to search a victim’s mailbox, then quietly extract the result. The victim never types anything. They simply click a link, and Copilot does the rest.

The second stage exploits timing. Microsoft’s safeguard against malicious HTML wraps Copilot’s output in code blocks, preventing the browser from rendering it as live markup. However, this wrapping happens only after Copilot finishes generating its full response. During the earlier streaming phase, raw HTML appears briefly in the page itself.

That timing gap is enough. The browser renders an embedded image tag and fires off a request before the safety wrapper ever applies. By the time the guardrail kicks in, the data has already left the victim’s browser.

The third stage solves a remaining problem for the attacker. A strict content security policy on Microsoft’s domain blocks images from loading off unapproved domains. A direct request to an attacker’s server would normally fail under this rule. Bing, however, sits on the approved list. Varonis found that Bing’s reverse image search feature accepts a URL and fetches it from its own servers, not the victim’s browser. That server-side fetch sidesteps the content security policy entirely. Bing’s infrastructure ends up unknowingly carrying stolen data straight to the attacker.

What an Attacker Could Access

Because Copilot Enterprise carries the same permissions as the user running it, the potential exposure tracks whatever that employee can normally see. The blast radius could include emails, meeting invites and notes, SharePoint documents, OneDrive files, and other indexed business content. Depending on how the organization connects Microsoft 365 to other systems, that radius could extend even further.

In practical terms, this could mean leaked one-time passcodes sent by email, password reset links, internal financial reports, or confidential meeting agendas. No authentication bypass and no separate account compromise were required. A single click was the only action needed from the victim.

A Pattern of AI-Native Bugs

SearchLeak did not appear in isolation. Varonis researchers had previously disclosed a related flaw called Reprompt in Copilot Personal, the consumer-facing version of the assistant. That earlier flaw also relied on the same q parameter technique. However, it targeted personal accounts rather than enterprise tenants. Microsoft patched Reprompt during its January 2026 security updates. At the time, the company confirmed that enterprise customers were not affected.

SearchLeak shows the same underlying weakness reaching further. With Enterprise Search added to the mix, the attack surface grew to include corporate mailboxes and shared business files, not just an individual’s personal account.

Neither of the two older bug classes used in this chain is new. Server-side request forgery and HTML rendering race conditions have both been documented for years in traditional web security research. What changed is the presence of an AI system willing to interpret a URL parameter as an instruction. That single ingredient is what made the older bugs exploitable again in a fresh context.

Recommended Mitigations

Microsoft has already patched the underlying vulnerability, and no customer action is required to apply the fix. Even so, Varonis outlined further steps worth considering for ongoing protection.

Security teams should watch for suspicious Copilot search URLs, particularly any containing encoded HTML tags or instructions referencing image embedding. Reviewing content security policy allowlists is also worthwhile. Any domain capable of performing server-side fetches on user-supplied URLs could become a similar exfiltration channel in the future. Treating AI streaming output as untrusted until fully rendered, rather than sanitizing only at the end, closes the specific timing gap SearchLeak relied on.

For individual users, the advice is simpler. Inspect links before clicking, especially ones pointing to Microsoft 365 services with long or encoded query strings. If Copilot ever begins searching email or files without being asked to, that behavior is worth reporting immediately.

A Broader Lesson for AI-Integrated Tools

As AI assistants gain deeper access into corporate systems, vulnerabilities like SearchLeak illustrate a recurring theme. Old web security bug classes, once considered low-risk in isolation, become considerably more dangerous once an AI system is willing to treat untrusted input as an executable instruction. Anyone running Microsoft 365 Copilot Enterprise in their organization can review the complete technical breakdown directly in Varonis Threat Labs’ SearchLeak research.