A newly disclosed vulnerability chain in Microsoft 365 Copilot Enterprise Search could have allowed attackers to extract sensitive emails, files, and even multi-factor authentication (MFA) codes through a single user click, according to researchers at Varonis Threat Labs.
The attack, dubbed “SearchLeak,” combines multiple weaknesses in Copilot’s handling of search queries, browser rendering, and external content requests. Although Microsoft has since mitigated the issue on the backend, the proof-of-concept highlights the growing security risks in AI-powered enterprise tools.
Microsoft assigned the issue CVE-2026-42824 and classified it as a critical vulnerability, though severity ratings varied across assessment systems. The company confirmed that no customer action is required following its mitigation.
How the “SearchLeak” Attack Works
Researchers explained that the exploit is not a single bug but a chain of three distinct weaknesses that work together to bypass protections and exfiltrate data.
1. Prompt Injection via Search Parameter
The entry point is the q parameter in Microsoft 365 Copilot Enterprise Search URLs, which is intended for natural-language queries.
However, attackers discovered that Copilot can interpret malicious input as instructions rather than simple search terms. By embedding crafted prompts in the URL, an attacker can force Copilot to retrieve sensitive data such as emails or calendar entries and embed it into the response.
This technique is known as parameter-to-prompt injection, where user-controlled input directly influences AI behavior.
2. Timing Flaw in Output Sanitization
The second vulnerability lies in how Copilot output is rendered in the browser.
Although Microsoft applies sanitization measures—such as wrapping output in code blocks to neutralize HTML—the protection occurs too late in the rendering process. As Copilot streams its response, the browser may already begin rendering unsanitized content.
This timing gap allows injected elements like image tags to execute before sanitization is applied, enabling unauthorized network requests.
3. Content Security Policy (CSP) Bypass via Trusted Domain Abuse
The final stage exploits Microsoft’s Content Security Policy configuration on the Copilot domain, which restricts external content but allows trusted domains such as *.bing.com.
Attackers leveraged Bing’s image processing service, which fetches and analyzes image URLs server-side. By encoding stolen data into image requests routed through Bing, the attacker effectively bypasses browser-level restrictions.
Because the request originates from Bing’s infrastructure, security policies in the victim’s browser are not triggered, making detection significantly harder.
What Attackers Could Access
If successfully exploited, the vulnerability could expose a wide range of sensitive enterprise data tied to the user’s Microsoft 365 session, including:
- Emails and inbox content, including security codes and reset links
- Calendar events, meeting notes, and internal communications
- Files stored in SharePoint and OneDrive
- Data indexed and accessible through Copilot’s enterprise search functions
Researchers noted that MFA codes and one-time passwords are particularly high-value targets, as they may remain valid long enough for attackers to perform account takeover.
Enterprise-Level Impact and Risk
Because Copilot operates using the user’s Microsoft Graph permissions, attackers do not need separate authentication. Any data accessible to the logged-in user can potentially be exposed through the exploit chain.
Security analysts warn that this turns a simple link click into a potential full-account compromise scenario in high-privilege environments.
Varonis researchers also emphasized that similar techniques have been observed in earlier Copilot attack research, including Reprompt attacks and prior zero-click vulnerabilities such as EchoLeak (CVE-2025-32711), reinforcing concerns about recurring AI security patterns.
Microsoft Response and Mitigation
Microsoft has confirmed that the vulnerability has been mitigated on the service side and stated that Copilot Enterprise is a fully managed cloud service, meaning customers cannot directly patch underlying components.
The company did not report evidence of active exploitation in the wild.
However, researchers stress that backend fixes do not eliminate the underlying risk of prompt injection and browser-level timing flaws, especially in AI systems that process dynamic user input.
Security Recommendations for Enterprises
While no direct patching is required, security experts recommend organizations take proactive steps to reduce exposure:
- Monitor Copilot-generated search URLs for suspicious or encoded inputs
- Review outbound traffic to Bing image-related endpoints for anomalies
- Limit data exposure by restricting Copilot’s access to sensitive repositories
- Strengthen data governance policies for Microsoft 365 services
- Audit AI usage logs for unusual query patterns or automated link execution
Growing Concerns Around AI-Driven Enterprise Tools
The SearchLeak disclosure adds to a growing list of vulnerabilities affecting AI-powered productivity platforms. Experts warn that combining natural language processing with live enterprise data access creates new attack surfaces that traditional web security models were not designed to handle.
As organizations increasingly adopt AI assistants like Copilot, researchers say the line between user interaction and data exfiltration is becoming harder to secure.
Conclusion
The Microsoft 365 Copilot SearchLeak vulnerability demonstrates how a single user click can potentially cascade into full enterprise data exposure when multiple system weaknesses align. While Microsoft has mitigated the issue, the research highlights ongoing challenges in securing AI-driven enterprise search and productivity tools.
