SearchLeak: Researchers Detail Microsoft 365 Copilot Vulnerability Chain Allowing One-Click Data Theft
Varonis researchers disclosed SearchLeak, a chain of three flaws in Microsoft 365 Copilot Enterprise that lets attackers steal emails, documents, and calendar data with a single click.
Security researchers at Varonis have disclosed a critical vulnerability chain in Microsoft 365 Copilot Enterprise, dubbed SearchLeak, that enables attackers to exfiltrate sensitive data from a victim's mailbox, OneDrive, or SharePoint with just one click. The attack exploits how Copilot processes search queries and accesses organizational data, chaining three distinct weaknesses that individually would be insufficient for a meaningful breach. Microsoft has addressed the issue and assigned it CVE-2026-42824 with a critical severity rating.
The attack chain begins with a parameter-to-prompt injection flaw in Microsoft 365 Copilot Search. Unlike the standard Copilot that generates content, Copilot Enterprise Search looks for company data across emails, meetings, SharePoint files, and OneDrive. An attacker crafts a URL containing instructions in the 'q' parameter that tells Copilot to search the victim's mailbox and embed the results into an image URL. The victim only needs to click the link — they do not type anything, and Copilot executes the instructions automatically.
The second stage exploits an HTML rendering race condition. As Copilot streams its output, raw HTML is temporarily rendered by the browser before it is wrapped inside <code> blocks that neutralize it. This brief window allows attacker-controlled HTML containing an <img> tag to execute and trigger outbound requests before sanitization completes. The third component is a server-side request forgery (SSRF) in Bing's "Search by Image" feature, which is used to fetch an image from the attacker's endpoint. Because Bing makes the request, the content security policy (CSP) is bypassed, and the stolen data embedded in the URL is sent to the attacker's server logs.
"Bing becomes an unwitting exfiltration proxy. A classic SSRF, hiding in plain sight behind a CSP allowlist entry," the Varonis researchers concluded. From the victim's perspective, all they see is Copilot "thinking" for a moment, with no indication that data is being exfiltrated. The stolen information can include email content (such as access codes and passwords), calendar events, meeting details, documents, and other content accessible through Copilot Enterprise Search.
Microsoft addressed SearchLeak at the beginning of June 2026 and assigned it CVE-2026-42824 with a maximum severity, critical rating. Since the fix has been deployed, no user action is required to mitigate this threat. Varonis underscores that familiar, easily contained bugs like SSRF and HTML injection race conditions can now be weaponized into potent attacks when prompt injection is possible, highlighting how AI systems have created new pathways to exploit older bug classes in contexts where they previously would not have been nearly as impactful.
The disclosure serves as a stark reminder that as enterprises rapidly adopt AI-powered tools like Copilot, the attack surface expands in unexpected ways. Security teams must now consider not only traditional web application vulnerabilities but also the unique risks introduced by AI agents that have privileged access to organizational data. The SearchLeak chain demonstrates that even well-understood vulnerability classes can become critical when combined with the capabilities of modern AI systems.
The Cyber Security News article adds a concise, publicly oriented summary of the three-stage SearchLeak attack chain previously detailed by Varonis Threat Labs, with a notable emphasis on the practical exfiltration mechanism — embedding stolen data in a Bing image-search URL to bypass CSP restrictions — and reiterates that Microsoft has already applied a server-side patch, requiring no user action. It also explicitly ties SearchLeak to the earlier 'Reprompt' vulnerability affecting Copilot Personal, underscoring the growing AI-specific attack surface.
Varonis Threat Labs' SearchLeak exploit, which chains three vulnerabilities in Microsoft 365 Copilot Enterprise Search, now has a dedicated CVE identifier: CVE-2026-42824. Microsoft scored the flaw as critical (CVSS 6.5), while the National Vulnerability Database assigned a higher CVSS of 7.5. The researchers behind the disclosure note that the same one-click attack pattern was previously demonstrated in an earlier Reprompt attack against Copilot Personal, and parallels have been drawn to the zero-click EchoLeak vulnerability (CVE-2025-32711) disclosed by Aim Security last year.