Varonis Reveals SearchLeak Exploiting Copilot Enterprise

Varonis Threat Labs disclosed SearchLeak, a three-stage vulnerability chain in Microsoft 365 Copilot Enterprise that can exfiltrate emails, MFA codes, calendar items, SharePoint and OneDrive files via a single click. Microsoft addressed the issue and assigned it a critical severity rating.

Varonis Reveals SearchLeak Exploiting Copilot Enterprise Varonis Threat Labs disclosed "SearchLeak," a three-stage vulnerability chain in Microsoft 365 Copilot Enterprise that can exfiltrate emails, MFA codes, calendar items, SharePoint and OneDrive files via a single click, according to Varonis' technical writeup. Varonis says the chain combines Parameter-to-Prompt P2P injection , an HTML rendering race condition , and a CSP bypass via Bing SSRF to embed and relay sensitive results to attacker-controlled servers. Multiple outlets report that Microsoft addressed the issue and assigned the finding a maximum "critical" severity rating, per Varonis and BleepingComputer. The exploit requires only a click on a trusted microsoft.com link and does not need plugins or extra permissions, Varonis reports. Industry coverage frames SearchLeak as an example of how AI-specific prompt-injection can combine with classic web bugs to widen enterprise blast radius. What happened Varonis Threat Labs published a technical disclosure named SearchLeak CVE-2026-42824 , describing a proof-of-concept three-stage vulnerability chain that abuses Microsoft 365 Copilot Enterprise Search to exfiltrate enterprise data, according to Varonis' blog post and technical report. Varonis reports the chain can surface and transmit emails, two-factor authentication codes, meeting details, SharePoint documents, and OneDrive files from a Copilot Enterprise tenant after a single click on a crafted link. Multiple security outlets, including BleepingComputer, Dark Reading, and The Hacker News, report that Microsoft addressed the issue and that the finding received a maximum "critical" severity rating, per the public reporting and Varonis' disclosure. Technical details Per Varonis' writeup, SearchLeak chains three distinct weaknesses: Parameter-to-Prompt P2P injection , where the q URL parameter sent to Copilot Enterprise Search is treated as executable prompt input; an HTML rendering race condition that permits temporary rendering of attacker-controlled HTML for example an <img tag before sanitization completes; and a Content Security Policy bypass achieved via Bing's image search acting as a server-side request forgery SSRF proxy to fetch attacker-controlled URLs. Varonis demonstrates how these steps allow Copilot to search indexed organizational content and embed results in outbound requests that Bing then retrieves, delivering the data to an attacker-controlled endpoint, as described in the technical notes. Industry context Editorial analysis: Industry reporting frames SearchLeak as a concrete instance of an "AI-native" attack surface: prompt-injection techniques chain with well-known web vulnerabilities race conditions, SSRF to create new exfiltration paths. Observers in published coverage note the increased blast radius when the targeted assistant runs with enterprise search permissions and has access to mailboxes and storage, since compromised outputs can include cross-organizational artifacts. Implications for defenders and practitioners Editorial analysis: Companies running hosted AI assistants that index enterprise data should treat prompt-injection as a class of risk that can amplify otherwise ordinary web bugs. Hardening efforts that focus only on traditional phishing detection or URL filtering can miss attacks that execute from trusted domains, because SearchLeak's vector uses microsoft.com links and relies on in-product behavior rather than user-supplied attachments or external executables. Published coverage highlights that exploitability arises from chaining relatively low-severity issues into a critical end-to-end path. What to watch Observers will likely track vendor mitigations for prompt handling, streaming sanitization timing, and downstream service fetch policies for example, how image search endpoints validate or restrict fetch targets . Public reporting cites Microsoft's remediation of SearchLeak under CVE-2026-42824 and notes the critical severity designation, but security practitioners will be watching for similar prompt-injection chains in other AI-integrated enterprise tools that share enterprise search permissions. Scoring Rationale SearchLeak is a critical patched vulnerability CVE-2026-42824 in Microsoft 365 Copilot Enterprise - a widely deployed enterprise AI assistant. The three-stage chain enabling one-click exfiltration of emails, MFA codes, and files across a Copilot tenant represents a significant and novel AI-native attack surface. Score reflects importance to security practitioners tempered by the fact that Microsoft has patched the vulnerability. Practice interview problems based on real data 1,500+ SQL & Python problems across 15 industry datasets — the exact type of data you work with. Try 250 free problems /problems