Cybersecurity researchers have detailed a now-patched vulnerability chain in Microsoft 365 Copilot Enterprise that lets an attacker steal a victim’s emails, security codes, and confidential files with a single click.
Microsoft fixed the issue, tracked as CVE-2026-42824. The severity rating varies by source, with Varonis defining it as “critical”, while Microsoft scored it 6.5 (medium), citing the required user interaction as a mitigating factor. The National Vulnerability Database scored it higher at 7.5 (high), having assessed it as needing no user interaction.
Dubbed SearchLeak, the attack strung together three weaknesses in Copilot Enterprise Search, each enabling the next.
In an advisory published on June 15, Varonis Threat Labs said the starting point was an AI-specific flaw the researchers call Parameter-to-Prompt (P2P) injection: the search query carried in a link’s URL was passed to Copilot not just as a search term but as instructions it would obey.
A victim who clicked a crafted link triggered Copilot to search their own mailbox and files and act on the attacker’s hidden command, without typing anything.
How the Chain Worked
The next weakness was a timing flaw in how Copilot rendered its answers. Microsoft’s safeguard against dangerous output wrapped responses so the browser would treat them as text, but that wrapping only happened after Copilot finished generating.
During the streaming phase, an image reference in the response rendered briefly in the browser and fired off a web request before the safeguard caught up. This is a classic race condition.
That left one obstacle. The page’s content security policy restricted which domains images could load from, which would normally block a request to an attacker’s server.
However, Bing’s image-search endpoint was allowlisted, and it performed a server-side fetch of whatever address it was given. By routing the exfiltration through Bing, the attacker turned a trusted Microsoft service into an unwitting relay, slipping the stolen data past the browser’s restrictions.
Why It Mattered, and What to Do
Because the malicious link pointed to a genuine microsoft.com address, traditional anti-phishing and URL-filtering tools had no reason to block it.
And because Copilot Enterprise runs with the signed-in user’s full permissions, an attacker effectively inherited the victim’s access to organizational data without ever logging in.
Varonis noted that exposed information could include email subject lines carrying One-Time Passcodes (OTPs) and password-reset links, calendar and meeting details, and indexed files such as earnings reports and salary information.
Varonis framed SearchLeak as an example of how AI opens new routes to old, familiar bugs that were previously unreachable.
With the flaw patched, the firm advised security teams to watch for suspicious Copilot Search links containing encoded instructions.
They should also review which allowlisted domains can perform server-side fetches and treat AI streaming output as untrusted by sanitizing it as it renders rather than afterward.
