TL;DR
Varonis found three chained bugs in Microsoft 365 Copilot Enterprise Search that could allow an attacker to steal data with a single click on a microsoft.com link.
Security researchers at Varonis Threat Labs have disclosed a chain of vulnerabilities in Microsoft 365 Copilot Enterprise Search. this could allow an attacker to steal emails, calendar entries, and indexed files with a single click. The attack, which Varonis calls SearchLeak, worked via a URL crafted in the legitimate microsoft.com domain, meaning traditional anti-phishing and URL filtering tools are unlikely to pick it up. Microsoft designated CVE-2026-42824 on June 4 and rated it as critical according to its severity system, although the CVSS v3.1 baseline score was 6.5, a moderate rating.
The victim never typed a request, entered a password, or clicked a second time. Varonis researcher Dolev Thaler, a Microsoft consultant, demonstrated the attack as a proof of concept. Microsoft mitigated the flaw on the backend, and since Copilot Enterprise is a managed service, no customer action was required.
SearchLeak combines three different vulnerabilities, each insufficient on its own but devastating in sequence. The entry point is the q parameter in the Kopilot Enterprise Search URL for natural language querying. Varonis calls this parameter-to-prompt injection: an attacker writes a URL that instructs Kopilot to search the victim’s mailbox, extract a piece of information such as the subject line of an email, and paste it into an image URL.
💜 of EU technology
The latest rumblings from the EU tech scene, a story from our wise founder Boris and some questionable AI art. Free in your inbox every week. Register now!
The victim clicks and the Copilot executes the instructions without any additional input.
The second link in the chain is a race condition for how the Copilot’s response is displayed. Microsoft’s guardrail wraps the output into code blocks, so the browser treats the markup as text, but the wrapping happens after Copilot has finished generating. The browser renders the stream as it arrives, so the injected image tag runs the request before the sanitizer runs.
When the output is disabled, the outgoing request has already been allocated.
The third component is server-side query spoofing via Bing. The content security policy at m365.cloud.microsoft blocks images from arbitrary domains, but blocks *.bing.com whitelists. Bing’s “Search by image” endpoint receives the image URL and brings it to the server side to parse it.
Bring the stolen data encoded in the URL path to the attacker’s server and Bing retrieves it on behalf of the attacker. The browser’s CSP is never applied because the request originates from the Bing infrastructure.
Put together, the sequence works like this: the victim clicks on the link, Copilot searches for their data, the response inserts the value into the Bing image URL, the browser calls Bing during the stream, and Bing pulls the attacker’s URL. The attacker reads the stolen data from their server logs, for example the /Your_Security_Code_847291/img.png request.
The scope of the attack matched everything a logged-in user could access through Microsoft Graph permissions. The most time-sensitive targets were one-time codes, MFA badges and password reset links sitting in the inbox, often valid for a few minutes. Calendar invites, meeting notes, and any SharePoint or OneDrive files that Copilot indexed were also available.
Microsoft’s advisory classifies the flaw as CWE-77, improper disposal of custom elements used in the command. The company rated it as critical, although the CVSS v3.1 baseline score of 6.5 reflects the user interaction requirement, specifically one click. The source article reporting the story claimed NVD was assigned a score of 7.5, but both Microsoft’s own CSAF record and the NVD entry show the same CVSS:3.1 vector as a 6.5 core score.
SearchLeak is the second time Varonis has demonstrated this pattern against Copilot. Thaler previously disclosed a Reprompt attack against Copilot Personal that used the same one-click technique to extract data. This vulnerability was reported to Microsoft in August 2025 and patched in January 2026.
SearchLeak went against Enterprise Search, despite the additional safeguards this tier must implement.
The same class of bug appeared independently in EchoLeak, a zero-click Copilot vulnerability disclosed by Aim Security in 2025 and tracked as CVE-2025-32711 with a CVSS score of 9.3. EchoLeak requires no user interaction, injecting prompts into files that Kopilot processes automatically. Together, these three statements form a pattern: operative injection is the new ingredient that makes old web vulnerabilities dangerous again.
SSRF and HTML sanitizing race conditions are well-understood bug classes that security teams have been mitigating for years. What makes them powerful in Copilot is the operational injection layer that creates a way to invoke them via a URL parameter designed to accept natural language. The AI system doesn’t just search, it follows the instructions included in the query, and those instructions can include data extraction logic that isn’t possible through a conventional search interface.
The results go beyond Copilot. AI systems integrated into enterprise workflows they inherit their users’ access permissions, but introduce new attack surfaces that existing security tools are not built to detect. A URL filter that checks for domain reputation will link to microsoft.com.
Bing’s trusted content security policy will allow an exfiltration request. Neither tool is designed to compute an AI mediator that converts URL parameters into executable instructions.
For organizations running Microsoft 365 Copilot Enterprise, Varonis recommends watching Copilot Search URLs carrying payloads or HTML encoded in the q parameter and monitoring for unusual traffic to Bing’s image endpoints. Enhancing data access controls so that Copilot indexes less content to reduce the potential for any future vulnerabilities.
Microsoft fixed SearchLeak before it was exploited in the wild, and the company says there is no evidence of malicious use. But Copilot’s rapid expansion into enterprise and public sector environments means that the attack surface grows faster than the defenses. The three revelations in six months, each bypassing the protections the previous amendment was supposed to establish, show that the fundamental tension between keeping that data secure while giving an artificial intelligence tool access to vast data remains unresolved.
