CyberSecurity News

Critical Microsoft 365 Copilot Flaw Vulnerability Allows

Attackers could steal sensitive corporate data, multi-factor authentication (MFA) codes, email contents, calendar details, and confidential files through a critical vulnerability chain within...

Emy Elsamnoudy
Emy Elsamnoudy
June 15, 2026 3 Min Read
1 0

Attackers could steal sensitive corporate data, multi-factor authentication (MFA) codes, email contents, calendar details, and confidential files through a critical vulnerability chain within Microsoft 365 Copilot Enterprise. The flaw enabled unauthorized access via a single click on a link pointing to a legitimate Microsoft domain.

Dubbed SearchLeak, uncovered by Varonis Threat Labs and tracked as CVE-2026-42824, the flaw earned Microsoft’s maximum severity rating before being patched. Its significance lies less in any single bug than in how it fuses a new AI-specific weakness with two well-worn web security flaws, turning Copilot Enterprise Search into a silent exfiltration channel.

SearchLeak is not a single flaw; it is a chained exploit that weaponizes Microsoft 365 Copilot Enterprise Search as a silent data exfiltration engine.

Detailed by Varonis researcher Dolev Taler, the attack combines three distinct weaknesses: a Parameter-to-Prompt (P2P) Injection, an HTML rendering race condition, and a Server-Side Request Forgery (SSRF) via Bing’s image search endpoint.

Individually, each vulnerability is manageable. Chained together, they create a one-click attack capable of stealing virtually any data the victim can access within their Microsoft 365 tenant without requiring any special privileges, plugins, or secondary interactions.

Microsoft 365 Copilot Vulnerability Chain

Stage 1 — P2P Injection: Microsoft 365 Copilot Search accepts a q URL parameter intended for natural language search queries. The flaw is that whatever value is placed in the q parameter is interpreted by Copilot’s AI engine not just as a search string, but as executable instructions.

An attacker crafts a malicious URL that points to a trusted microsoft.com domain and commands Copilot to search the victim’s mailbox and embed the extracted data in an image URL. Because the link resolves to a legitimate Microsoft domain, traditional anti-phishing and URL protection tools do not flag it.

Stage 2 — Racing the Guardrail: Microsoft’s mitigation for dangerous AI-generated HTML is to wrap Copilot output in <code> blocks, preventing the browser from rendering it as markup.

However, this wrapping only occurs after Copilot finishes its generation phase. During the streaming phase, raw HTML including attacker-injected <img> tags is temporarily rendered live in the DOM. The browser fires off the HTTP request before the sanitizer even activates, making this a textbook race condition bypass.

Stage 3 — SSRF via Bing: The victim’s browser cannot directly contact an attacker-controlled server due to the Content Security Policy (CSP) on m365.cloud.microsoft. However, *.bing.com is CSP-allowlisted. Bing’s “Search by Image” feature accepts a imgurl parameter and performs a server-side fetch of the provided URL to analyze it.

The attacker embeds the stolen data directly in the path of this Bing image-search URL. Bing’s backend unwittingly relays the stolen data to the attacker’s server, bypassing the CSP entirely.

Microsoft 365 Copilot Attack Chain
Microsoft 365 Copilot Attack Chain (Source: Varonis Threat Labs)

The complete attack requires only a crafted link sent via email, Teams, Slack, or any messaging channel. When clicked, Copilot silently searches the victim’s mailbox, generates a response with embedded stolen data in a Bing image URL, and the attacker’s server logs the exfiltrated information all in seconds, with no second click.

Defense Recommendations

Microsoft has fully patched the SearchLeak server-side; no user action is required to receive the fix. However, Varonis recommends security teams:

  • Monitor Copilot Search URLs for encoded payloads in the q parameter containing HTML or image-embedding instructions
  • Audit CSP allowlists for any domain that performs server-side fetches on user-supplied URLs
  • Treat AI streaming output as untrusted sanitization must occur at render time, not as a post-processing step
  • Alert users to inspect Microsoft 365 links with long, encoded query strings before clicking

SearchLeak follows Varonis’ earlier discovery of Reprompt, a similar one-click data exfiltration chain affecting Copilot Personal.

Together, these findings underscore how AI assistants are creating new, hard-to-detect attack surfaces by reactivating previously unexploitable classic vulnerabilities in new contexts.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchphishingSecurityThreatVulnerability

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

No Comment! Be the first one.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts