A single click on a Microsoft link could have exposed emails, calendar data and indexed files from Microsoft 365 Copilot Enterprise Search, according to a technical analysis by Varonis Threat Labs. Microsoft assigned CVE-2026-42824 and said it mitigated the issue on the backend.
KEY FACTS
- Technique Researchers chained three bugs into a one-click exfiltration path called SearchLeak.
- Impact The flaw could expose mailbox content, calendar details and Copilot-indexed files.
- Severity Microsoft labeled the issue critical and assigned CVE-2026-42824.
- Status Microsoft said it applied a backend mitigation and no customer action was needed.
The report said the attack starts with Copilot’s q parameter, which can be used to inject instructions into a search request. A victim only needed to click a crafted link that pointed to a real microsoft.com domain, which could make standard anti-phishing tools less likely to flag it.
The attack then relied on a timing gap in the way Copilot output was rendered. The report said the browser could process an injected image tag before Microsoft’s sanitizing code wrapped the response in code blocks.
The final step used Bing’s image search infrastructure as a proxy. Because the browser’s content policy allowed Bing domains, an attacker could encode stolen text into a URL and have Bing fetch it server-side, moving the data off the page without triggering the site’s restrictions.
Varonis said Copilot Enterprise could reach whatever data the signed-in user could access through Microsoft Graph. That could include one-time codes, password-reset links, meeting notes, and SharePoint or OneDrive files.
The company said it had not observed real-world exploitation, and it presented a proof of concept. The disclosure said tenant administrators cannot patch the managed service themselves, so monitoring for unusual Copilot search strings and outbound requests to Bing endpoints is the main defensive option.
WHY IT MATTERS
The case shows how prompt injection, browser rendering quirks and server-side fetching can combine to move data out of a managed AI service. It also highlights the risk of exposing sensitive content to systems that index broad sets of corporate files and messages.