{"slug": "a-single-click-on-a-microsoft-link-could-have-drained-your-inbox-heres-how", "title": "A single click on a Microsoft link could have drained your inbox. Here’s how SearchLeak worked.", "summary": "Security researchers at Varonis Threat Labs disclosed a vulnerability chain in Microsoft 365 Copilot Enterprise Search, dubbed SearchLeak, that could allow attackers to steal emails, calendar data, and files with a single click on a crafted microsoft.com link. The attack chains a prompt injection, an HTML sanitizer race condition, and a Bing server-side request forgery to exfiltrate data without victim interaction. Microsoft assigned CVE-2026-42824 and mitigated the flaw on its backend, requiring no customer action.", "body_md": "#### TL;DR\n\n*Varonis found three chained bugs in Microsoft 365 Copilot Enterprise Search that let an attacker steal data with one click on a microsoft.com link.*\n\nVaronis Threat Labs combined a prompt injection, an HTML sanitizer race condition, and a Bing server-side request forgery into a one-click exfiltration chain that pulled emails, calendar data, and files from Microsoft 365 Copilot Enterprise Search without the victim typing a word\n\n*Varonis found three chained bugs in Microsoft 365 Copilot Enterprise Search that let an attacker steal data with one click on a microsoft.com link.*\n\n[Security researchers at Varonis Threat Labs have disclosed a vulnerability chain in Microsoft 365 Copilot Enterprise Search](https://thehackernews.com/2026/06/one-click-microsoft-365-copilot-flaw.html) that could have let an attacker steal emails, calendar entries, and indexed files with a single click. The attack, which Varonis calls SearchLeak, worked through a crafted URL on a legitimate microsoft.com domain, meaning traditional anti-phishing and URL filtering tools were unlikely to flag it. Microsoft assigned CVE-2026-42824 on June 4 and rated it critical under its own severity system, though the CVSS v3.1 base score came in at 6.5, a medium rating.\n\nThe victim never typed a prompt, entered a password, or clicked a second time. Varonis researcher Dolev Taler, who is credited in Microsoft’s advisory, demonstrated the attack as a proof of concept. Microsoft mitigated the flaw on its backend, and because Copilot Enterprise is a managed service, no customer action was required.\n\nSearchLeak chains three distinct weaknesses, each insufficient on its own but devastating in sequence. The entry point is the q parameter in the Copilot Enterprise Search URL, which is meant for a natural-language query. Varonis calls this parameter-to-prompt injection: an attacker writes a URL that tells Copilot to search the victim’s mailbox, extract a piece of data like an email subject line, and embed it inside an image URL.\n\nThe victim clicks, and Copilot executes the instructions without any additional input.\n\nThe second link in the chain is a race condition in how Copilot’s response is rendered. Microsoft’s guardrail wraps output in code blocks so the browser treats markup as text, but the wrapping happens after Copilot finishes generating. The browser renders the stream as it arrives, so an injected image tag fires its request before the sanitizer runs.\n\nBy the time the output is neutralised, the outbound request has already left.\n\nThe third component is a server-side request forgery through Bing. The content security policy on m365.cloud.microsoft blocks images from arbitrary domains but allowlists *.bing.com. Bing’s “*Search by Image*” endpoint accepts an image URL and fetches it server-side to analyse it.\n\nPoint that fetch at an attacker’s server with stolen data encoded in the URL path, and Bing retrieves it on the attacker’s behalf. The browser’s CSP never applies because the request originates from Bing’s infrastructure.\n\nPut together, the sequence works like this: the victim clicks a link, Copilot searches their data, the response embeds a value in a Bing image URL, the browser calls Bing during streaming, and Bing pulls the attacker’s URL. The attacker reads the stolen data from their own server logs, for example a request for /Your_Security_Code_847291/img.png.\n\nThe reach of the attack matched whatever the signed-in user could access through their Microsoft Graph permissions. The most time-sensitive targets were one-time codes, MFA tokens, and password-reset links sitting in the inbox, often still valid for several minutes. Calendar invites, meeting notes, and any SharePoint or OneDrive files that Copilot had indexed were also within reach.\n\nMicrosoft’s advisory classifies the flaw as CWE-77, improper neutralisation of special elements used in a command. The company rated it critical, though the CVSS v3.1 base score of 6.5 reflects the requirement for user interaction, specifically that single click. The source article reporting the story claimed the NVD assigned a score of 7.5, but both Microsoft’s own CSAF record and the NVD entry show an identical CVSS:3.1 vector with a 6.5 base score.\n\nSearchLeak is the second time Varonis has demonstrated this pattern against Copilot. Taler previously disclosed the Reprompt attack against Copilot Personal, which used the same one-click technique to exfiltrate data. That vulnerability was reported to Microsoft in August 2025 and patched in January 2026.\n\nSearchLeak held up against Enterprise Search despite the additional guardrails that tier is supposed to enforce.\n\nThe same class of bug appeared independently in EchoLeak, a zero-click Copilot vulnerability disclosed by Aim Security in 2025 and tracked as CVE-2025-32711 with a CVSS score of 9.3. EchoLeak required no user interaction at all, embedding prompt injections in documents that Copilot processed automatically. Together, these three disclosures establish a pattern: [prompt injection is the new ingredient that makes old web vulnerabilities dangerous again](https://thenextweb.com/news/ai-agents-hijacked-prompt-injection-bug-bounties-no-cve).\n\nSSRF and HTML sanitiser race conditions are well-understood bug classes that security teams have been mitigating for years. What makes them potent in Copilot is the prompt injection layer, which creates a path to trigger them through a URL parameter that was designed to accept natural language. The AI system does not just search, it follows instructions embedded in the query, and those instructions can include data exfiltration logic that would be impossible through a conventional search interface.\n\nThe implications extend beyond Copilot. [AI systems integrated into enterprise workflows](https://thenextweb.com/news/why-2026-will-be-the-year-of-governed-cybersecurity-ai) inherit the access permissions of their users but introduce new attack surfaces that existing security tooling was not built to detect. A URL filter that checks domain reputation would pass a link to microsoft.com.\n\nA content security policy that trusts Bing would allow the exfiltration request. Neither tool was designed to account for an AI intermediary that converts URL parameters into executable instructions.\n\nFor organisations running Microsoft 365 Copilot Enterprise, Varonis recommends watching for Copilot Search URLs carrying encoded payloads or HTML in the q parameter and monitoring for unusual outbound requests to Bing’s image endpoints. Tightening data-access governance so Copilot indexes less content would shrink what any future vulnerability could reach.\n\nMicrosoft fixed SearchLeak before it was exploited in the wild, and the company says there is no evidence of malicious use. But the [rapid expansion of Copilot into enterprise and public-sector environments](https://thenextweb.com/news/nhs-england-microsoft-copilot-505000-staff-ai-rollout) means the attack surface is growing faster than the guardrails. Three disclosures in six months, each bypassing protections the previous fix was supposed to establish, suggests the fundamental tension between giving an AI tool broad data access and keeping that data secure remains unresolved.\n\nGet the most important tech news in your inbox each week.", "url": "https://wpnews.pro/news/a-single-click-on-a-microsoft-link-could-have-drained-your-inbox-heres-how", "canonical_source": "https://thenextweb.com/news/microsoft-365-copilot-searchleak-one-click-data-exfiltration", "published_at": "2026-06-15 18:22:42+00:00", "updated_at": "2026-06-15 18:42:05.876602+00:00", "lang": "en", "topics": ["ai-safety", "ai-products", "ai-research"], "entities": ["Varonis Threat Labs", "Microsoft", "Microsoft 365 Copilot Enterprise Search", "Bing", "Dolev Taler", "CVE-2026-42824"], "alternates": {"html": "https://wpnews.pro/news/a-single-click-on-a-microsoft-link-could-have-drained-your-inbox-heres-how", "markdown": "https://wpnews.pro/news/a-single-click-on-a-microsoft-link-could-have-drained-your-inbox-heres-how.md", "text": "https://wpnews.pro/news/a-single-click-on-a-microsoft-link-could-have-drained-your-inbox-heres-how.txt", "jsonld": "https://wpnews.pro/news/a-single-click-on-a-microsoft-link-could-have-drained-your-inbox-heres-how.jsonld"}}