"A single click on a trusted Microsoft link could have let an attacker pull emails, calendar details, and indexed files out of Microsoft 365 Copilot Enterprise Search."
SearchLeak: a one-click chain from Varonis Threat Labs
Researchers at Varonis Threat Labs disclosed a chained exploit they call SearchLeak that used three distinct bugs to create a one-click exfiltration path from Microsoft 365 Copilot Enterprise Search. Microsoft assigned the bug CVE-2026-42824 and marked it critical. Varonis presented a proof-of-concept demonstration; Microsoft mitigated the issue on its backend and reported no observed exploitation in the wild. Because the link involved a real microsoft.com domain, standard anti-phishing and URL-filtering defenses were unlikely to flag it.
Parameter-to-Prompt injection in Copilot Enterprise Search
The entry point for the attack was the q parameter in the Copilot Enterprise Search URL, intended for a natural-language query. Varonis calls the exploit a Parameter-to-Prompt injection: the service treats the q parameter not merely as text to search but as instructions for Copilot. An attacker can craft a URL that tells Copilot to search a victim's mailbox, extract an email title or other value, and place that value inside an image URL. The victim need only click the link once; no additional prompts, passwords, or clicks are required.
Race condition and Bing as an exfiltration proxy
Two legacy web weaknesses were repurposed to carry the stolen data outward. First, a timing race in how Copilot output is rendered allowed a generated <img> tag to be drawn and to fire a request before Microsoft's sanitizer wrapped the output in <code> blocks. Second, the page's Content Security Policy (CSP) on m365.cloud.microsoft.com blocks images from arbitrary domains but allowlists *.bing.com. Bing's "Search by Image" endpoint accepts an image URL and fetches it server-side. By embedding the stolen text into a Bing image URL, the browser triggers a fetch from Bing infrastructure — which is not governed by the page's CSP — and Bing retrieves the attacker-controlled URL. Because the request originates from Bing, the browser-level CSP never blocks the exfiltration; Bing effectively becomes the proxy that carries the stolen content to the attacker's server logs.
What attackers could have exfiltrated
Copilot Enterprise operates with the signed-in user's Microsoft Graph access, so an attacker exploiting SearchLeak inherits the reach of that account without logging in. Varonis highlighted time-sensitive targets: one-time codes, MFA codes, and password-reset links in the inbox that may remain valid for minutes. The exploit could also expose calendar invites, meeting notes, and any SharePoint or OneDrive files Copilot has indexed — including salary data, earnings figures, and acquisition plans where those items are present in indexed content. A script that reads logs while a victim's Copilot window is open can capture transient values quickly enough to enable account takeover, the researchers warned.
How Microsoft responded, and what tenant administrators can do
Microsoft mitigated CVE-2026-42824 on its backend. Because Copilot Enterprise is a managed service, tenant administrators cannot directly patch or reconfigure the service components involved. Microsoft and Varonis both characterized the issue as fixed at the service level. Varonis advised tenant defenders to look for Copilot Search URLs carrying encoded payloads or HTML in the q parameter and for unusual outbound requests to Bing's image endpoints. Tenants were also urged to tighten data-access governance so Copilot indexes less content, thereby shrinking the scope of what any future leak could reach.
What this means for technologists, enterprise administrators, and end users
- Technologists and security teams: Watch for the specific indicators Varonis named — q-parameter payloads and anomalous Bing image fetches — and consider controls that limit Copilot's indexing surface.
- Enterprise administrators and procurement leaders: Note that mitigation occurred on Microsoft's backend and that tenant-level patching is not possible for managed Copilot Enterprise; governance and indexing policy changes are the practical levers available.
- End users: Be aware that one-click links to legitimate microsoft.com domains can carry hidden instructions to Copilot; treat unexpected Copilot Search links with caution, especially when short-lived codes or sensitive documents may be present in your account.
SearchLeak demonstrates how a modern prompt-injection weakness can revive older attack primitives — sanitizer races and server-side fetches — into a single, practical exploit. Microsoft’s backend mitigation stopped this chain, but the researchers’ proof-of-concept underscores the continuing risk where AI prompt handling, UI timing, and permissive allowlists intersect.
