Microsoft 365 Copilot Vulnerable to "SearchLeak" One-Click Data Exfiltration Attack
Researchers at Varonis Threat Labs uncovered a critical vulnerability in Microsoft 365 Copilot Enterprise Search, tracked as CVE-2026-42824, enabling attackers to exfiltrate sensitive enterprise data with a single click. The flaw, dubbed "SearchLeak," combines AI-specific prompt injection with traditional web vulnerabilities to bypass security controls.
The attack exploits a three-stage exploit chain:
- Parameter-to-Prompt (P2P) Injection – Copilot’s URL query parameter is interpreted as executable instructions, allowing attackers to embed malicious prompts that force the AI to retrieve confidential data (e.g., MFA codes, emails, SharePoint/OneDrive files).
- HTML Injection Race Condition – While Microsoft sanitizes AI responses by wrapping them in code blocks, a timing flaw allows injected HTML (e.g., image tags) to render before protection applies, enabling outbound data leakage.
- Server-Side Request Forgery (SSRF) via Bing – Attackers bypass browser security policies by embedding exfiltrated data in a Bing image search URL, leveraging Microsoft’s trusted infrastructure to transmit stolen information.
In a real-world scenario, victims receive a seemingly legitimate Microsoft link (via email, Teams, or Slack). Upon clicking, Copilot executes the hidden prompt, searches enterprise data, and silently exfiltrates sensitive content all without requiring further interaction. Since the attack originates from a trusted domain, traditional phishing defenses fail to block it.
The impact is severe, particularly in enterprise environments where Copilot integrates with organizational data. Attackers can access emails, meeting details, financial reports, and strategic documents, all while operating under the victim’s session permissions without triggering security alerts.
Microsoft has patched the vulnerability, but SearchLeak underscores broader risks in AI-driven systems. By bridging prompt injection with legacy flaws like race conditions and SSRF, the attack demonstrates how AI can expand attack surfaces, turning productivity tools into data exfiltration channels. The discovery follows prior AI vulnerabilities (e.g., "Reprompt") and highlights the need for stricter input validation, real-time output sanitization, and AI-specific threat modeling.
Source: https://gbhackers.com/microsoft-365-copilot-vulnerability-2/
Microsoft Security cybersecurity rating report: https://www.rankiteo.com/company/microsoft-security
"id": "MIC1781591215",
"linkid": "microsoft-security",
"type": "Vulnerability",
"date": "6/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Enterprise users of Microsoft '
'365 Copilot',
'industry': 'Software, Cloud Services',
'location': 'Global',
'name': 'Microsoft',
'size': 'Enterprise',
'type': 'Technology Company'}],
'attack_vector': 'One-click malicious link (email, Teams, Slack)',
'data_breach': {'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (confidential enterprise data, '
'personally identifiable information)',
'type_of_data_compromised': ['Emails',
'Meeting details',
'Financial reports',
'Strategic documents',
'MFA codes',
'SharePoint/OneDrive files']},
'description': 'Researchers at Varonis Threat Labs uncovered a critical '
'vulnerability in Microsoft 365 Copilot Enterprise Search, '
'tracked as CVE-2026-42824, enabling attackers to exfiltrate '
'sensitive enterprise data with a single click. The flaw, '
"dubbed 'SearchLeak,' combines AI-specific prompt injection "
'with traditional web vulnerabilities to bypass security '
'controls. The attack exploits a three-stage exploit chain: '
'Parameter-to-Prompt (P2P) Injection, HTML Injection Race '
'Condition, and Server-Side Request Forgery (SSRF) via Bing. '
'Victims receive a seemingly legitimate Microsoft link, and '
'upon clicking, Copilot executes the hidden prompt, searches '
'enterprise data, and silently exfiltrates sensitive content '
'without further interaction.',
'impact': {'brand_reputation_impact': 'Potential erosion of trust in '
'AI-driven productivity tools',
'data_compromised': 'Emails, meeting details, financial reports, '
'strategic documents, MFA codes, '
'SharePoint/OneDrive files',
'identity_theft_risk': 'High (access to personally identifiable '
'information)',
'operational_impact': 'Data exfiltration without triggering '
'security alerts, bypassing traditional '
'phishing defenses',
'systems_affected': 'Microsoft 365 Copilot Enterprise Search'},
'investigation_status': 'Patched',
'lessons_learned': 'SearchLeak underscores broader risks in AI-driven '
'systems, demonstrating how AI can expand attack surfaces '
'by bridging prompt injection with legacy flaws like race '
'conditions and SSRF. There is a need for stricter input '
'validation, real-time output sanitization, and '
'AI-specific threat modeling.',
'post_incident_analysis': {'corrective_actions': ['Microsoft patched the '
'vulnerability',
'Stricter input validation',
'Real-time output '
'sanitization',
'AI-specific threat '
'modeling'],
'root_causes': ['AI-specific prompt injection',
'HTML Injection Race Condition',
'SSRF via Bing']},
'recommendations': ['Implement stricter input validation',
'Apply real-time output sanitization',
'Adopt AI-specific threat modeling',
'Enhance monitoring for AI-driven tools'],
'references': [{'source': 'Varonis Threat Labs'}],
'response': {'containment_measures': 'Microsoft patched the vulnerability',
'remediation_measures': 'Stricter input validation, real-time '
'output sanitization, AI-specific threat '
'modeling',
'third_party_assistance': 'Varonis Threat Labs (researchers)'},
'title': "Microsoft 365 Copilot Vulnerable to 'SearchLeak' One-Click Data "
'Exfiltration Attack',
'type': 'Data Exfiltration',
'vulnerability_exploited': 'CVE-2026-42824 (Parameter-to-Prompt Injection, '
'HTML Injection Race Condition, SSRF via Bing)'}