SearchLeak Exposes Microsoft 365 Copilot Data

Varonis Threat Labs disclosed a critical vulnerability chain called SearchLeak in Microsoft 365 Copilot Enterprise that could allow attackers to exfiltrate emails, MFA codes, and files via a one-click attack. Microsoft remediated the issue with a critical severity rating before public disclosure.

SearchLeak Exposes Microsoft 365 Copilot Data Varonis Threat Labs disclosed a critical vulnerability chain called SearchLeak in Microsoft 365 Copilot Enterprise , according to Varonis' blog post published June 15, 2026. Varonis says the three-stage chain combines a prompt-injection variant called Parameter-to-Prompt Injection P2P with an HTML injection race condition and a Bing-based server-side request forgery SSRF , and that the chain could be used to exfiltrate emails, multifactor authentication codes, calendar items, SharePoint documents, and OneDrive files. Reporting in Dark Reading, Ars Technica, Mashable, and BleepingComputer describes the attack as a one-click data-theft vector that used a crafted q URL parameter and image-tag-based callback to leak results to an attacker-controlled server. Varonis says Microsoft remediated the issue and assigned it a critical severity rating. What happened Varonis Threat Labs disclosed a vulnerability chain named SearchLeak CVE-2026-42824 , critical in Microsoft 365 Copilot Enterprise , per Varonis' June 15, 2026 blog post. Varonis says the chain links a new AI prompt-injection subtype called Parameter-to-Prompt Injection P2P with an HTML injection race condition and a Bing-based server-side request forgery SSRF , and that the combined exploit could silently exfiltrate emails, multifactor authentication MFA codes, meeting details, SharePoint documents, and OneDrive files accessible to the victim. Reporting by Dark Reading, Ars Technica, Mashable, TechRadar, and BleepingComputer corroborates Varonis' technical outline and describes the attack as a one-click data-theft vector. Microsoft remediated the vulnerability globally before public disclosure, with patches deployed to all Copilot Enterprise instances by June 1, 2026. Technical details Per Varonis' writeup, the attack abuses the Copilot Search URL structure by injecting a crafted prompt into the q parameter example form: https://m365.cloud.microsoft/search/?auth=2&origindomain=microsoft365&q=<PROMPT , which the Copilot frontend passes through into the assistant context. Varonis documents that the attacker-controlled prompt can instruct the assistant to locate a target item for example, a recent email with an MFA code , format that content into a URL, and then load the URL via an image tag. Varonis says the use of an image tag plus a timing/race condition allowed the assistant to return the response before sanitization, while the SSRF vector used bing.com image search endpoints to relay attacker-controlled requests, bypassing the page's Content Security Policy because the request originates from Microsoft infrastructure. The victim sees only Copilot "thinking" with no visible data movement Dark Reading; Mashable . Industry context Industry reporting frames SearchLeak as an instance where emergent AI-specific vulnerability classes interact with long-standing web vulnerabilities. Companies integrating generative assistants with enterprise data sources need to account for prompt-injection classes such as Parameter-to-Prompt that convert user-controllable parameters into assistant prompts, and for the ways browser behaviors and third-party services such as image search endpoints can be repurposed to exfiltrate content. Impact and scope Varonis and multiple outlets note the enterprise tier focus increases the potential blast radius because a compromised Copilot session can access all data the user is authorized to read. Ars Technica and Dark Reading highlight that the attack could have exposed MFA codes and other high-sensitivity artifacts, increasing risk beyond simple document leakage. Microsoft rated the vulnerability critical and deployed service-level patches globally before the disclosure date. Practical note for defenders Coverage suggests defenders should treat prompt-derived inputs as attacker-controlled channels and evaluate whether existing CSP, input-sanitization, and SSRF protections remain effective when an assistant mediates content retrieval. For practitioners, the key operational takeaway is to treat integrations that convert URLs or user-supplied parameters into assistant prompts as high-risk data flows and to prioritize telemetry that can detect unexpected assistant-generated outbound network activity. Closing Varonis' disclosure and corroborating coverage across security outlets illustrate a pattern where novel prompt-injection techniques amplify classic web vulnerabilities into high-impact enterprise data-exfiltration chains. The incident underscores the need for specialized threat models and defensive controls tailored to generative-assistant architectures. Scoring Rationale CVE-2026-42824 critical in a widely deployed enterprise AI assistant demonstrates a new prompt-injection class Parameter-to-Prompt chained with SSRF to achieve one-click data exfiltration including MFA codes. Significant for security practitioners and organizations running Copilot Enterprise. Practice interview problems based on real data 1,500+ SQL & Python problems across 15 industry datasets — the exact type of data you work with. Try 250 free problems /problems