Microsoft: Critical Microsoft 365 Copilot Vulnerability Allows Attackers to Steal Data in One Click

Microsoft 365 Copilot Vulnerability Chain Exposed in "SearchLeak" Exploit

Security researchers at Varonis Threat Labs uncovered a critical vulnerability chain in Microsoft 365 Copilot Enterprise, dubbed SearchLeak (CVE-2026-42824), that enabled attackers to steal sensitive corporate data including MFA codes, emails, calendar details, and confidential files with a single click on a seemingly legitimate Microsoft domain link.

The flaw, rated with Microsoft’s maximum severity, was not a single bug but a chained exploit combining three distinct weaknesses: Parameter-to-Prompt (P2P) Injection, an HTML rendering race condition, and a Server-Side Request Forgery (SSRF) via Bing’s image search endpoint. Individually, these vulnerabilities were manageable, but together, they created a one-click attack capable of exfiltrating data from any Microsoft 365 tenant without requiring special privileges or additional user interaction.

How the Attack Worked

1. Stage 1 – P2P Injection: Attackers crafted a malicious URL pointing to a trusted microsoft.com domain, embedding instructions in the q parameter. Copilot’s AI engine interpreted this as executable commands, forcing it to search the victim’s mailbox and embed stolen data in an image URL.
2. Stage 2 – Racing the Guardrail: Microsoft’s safeguards wrapped Copilot’s output in <code> blocks to prevent HTML rendering. However, during the streaming phase, raw HTML including attacker-injected <img> tags was temporarily rendered in the DOM, triggering an HTTP request before sanitization could block it.
3. Stage 3 – SSRF via Bing: The victim’s browser couldn’t directly contact an attacker-controlled server due to Content Security Policy (CSP) restrictions. Instead, the exploit leveraged Bing’s “Search by Image” feature, which allowed server-side fetching of attacker-controlled URLs. The stolen data was embedded in the image URL path, bypassing CSP and relaying it to the attacker’s server.

The attack required no second click once the link was opened, Copilot silently searched the victim’s data, embedded it in a Bing image URL, and exfiltrated it within seconds.

Impact & Response

Microsoft patched the vulnerability server-side, eliminating the need for user intervention. However, Varonis recommended security teams:

• Monitor Copilot Search URLs for encoded payloads in the q parameter.
• Audit CSP allowlists for domains performing server-side fetches on user-supplied URLs.
• Treat AI streaming output as untrusted, ensuring sanitization occurs at render time.
• Educate users to inspect Microsoft 365 links with long, encoded query strings before clicking.

SearchLeak follows Varonis’ earlier discovery of Reprompt, another one-click data exfiltration flaw in Copilot Personal. These findings highlight how AI assistants are creating new attack surfaces by repurposing classic vulnerabilities in novel ways.

Source: https://cybersecuritynews.com/microsoft-365-copilot-one-click-vulnerability/

Microsoft Security Response Center cybersecurity rating report: https://www.rankiteo.com/company/microsoft-security-response-center

"id": "MIC1781540872",
"linkid": "microsoft-security-response-center",
"type": "Vulnerability",
"date": "6/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'industry': 'Technology',
                        'name': 'Microsoft 365 Copilot Enterprise',
                        'type': 'Software/Service'}],
 'attack_vector': 'One-click malicious URL',
 'data_breach': {'data_exfiltration': True,
                 'personally_identifiable_information': True,
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['MFA codes',
                                              'emails',
                                              'calendar details',
                                              'confidential files']},
 'description': 'Security researchers at Varonis Threat Labs uncovered a '
                'critical vulnerability chain in Microsoft 365 Copilot '
                'Enterprise, dubbed SearchLeak (CVE-2026-42824), that enabled '
                'attackers to steal sensitive corporate data including MFA '
                'codes, emails, calendar details, and confidential files with '
                'a single click on a seemingly legitimate Microsoft domain '
                'link. The flaw combined three distinct weaknesses: '
                'Parameter-to-Prompt (P2P) Injection, an HTML rendering race '
                'condition, and a Server-Side Request Forgery (SSRF) via '
                'Bing’s image search endpoint, creating a one-click attack '
                'capable of exfiltrating data without requiring special '
                'privileges or additional user interaction.',
 'impact': {'data_compromised': 'Sensitive corporate data (MFA codes, emails, '
                                'calendar details, confidential files)',
            'identity_theft_risk': 'High',
            'systems_affected': 'Microsoft 365 Copilot Enterprise'},
 'lessons_learned': 'AI assistants are creating new attack surfaces by '
                    'repurposing classic vulnerabilities in novel ways. '
                    'Security teams should monitor AI-generated URLs, audit '
                    'CSP allowlists, and treat AI streaming output as '
                    'untrusted.',
 'post_incident_analysis': {'corrective_actions': 'Microsoft patched the '
                                                  'vulnerability server-side; '
                                                  'recommended security '
                                                  'monitoring and user '
                                                  'education',
                            'root_causes': ['Parameter-to-Prompt (P2P) '
                                            'Injection',
                                            'HTML rendering race condition',
                                            'Server-Side Request Forgery '
                                            '(SSRF) via Bing’s image search '
                                            'endpoint']},
 'recommendations': ['Monitor Copilot Search URLs for encoded payloads in the '
                     '`q` parameter',
                     'Audit CSP allowlists for domains performing server-side '
                     'fetches on user-supplied URLs',
                     'Treat AI streaming output as untrusted and ensure '
                     'sanitization occurs at render time',
                     'Educate users to inspect Microsoft 365 links with long, '
                     'encoded query strings before clicking'],
 'references': [{'source': 'Varonis Threat Labs'}],
 'response': {'containment_measures': 'Microsoft patched the vulnerability '
                                      'server-side',
              'enhanced_monitoring': 'Recommended monitoring Copilot Search '
                                     'URLs for encoded payloads',
              'remediation_measures': 'Eliminated the need for user '
                                      'intervention; recommended monitoring '
                                      'Copilot Search URLs for encoded '
                                      'payloads, auditing CSP allowlists, and '
                                      'treating AI streaming output as '
                                      'untrusted',
              'third_party_assistance': 'Varonis Threat Labs'},
 'title': "Microsoft 365 Copilot Vulnerability Chain Exposed in 'SearchLeak' "
          'Exploit',
 'type': 'Vulnerability Exploitation',
 'vulnerability_exploited': ['Parameter-to-Prompt (P2P) Injection',
                             'HTML rendering race condition',
                             'Server-Side Request Forgery (SSRF) via Bing’s '
                             'image search endpoint']}