A single click on a Microsoft link could have emptied your inbox. Here's how SearchLeak functioned.

      **TL;DR** Varonis identified a series of interlinked vulnerabilities in Microsoft 365 Copilot Enterprise Search, enabling an attacker to steal sensitive data through a single click on a legitimate microsoft.com link. Researchers at Varonis Threat Labs revealed this vulnerability chain, named SearchLeak, which could allow stealing emails, calendar entries, and indexed files without any additional actions from the victim. Microsoft assigned CVE-2026-42824 to this issue on June 4, categorizing it as critical, although the CVSS v3.1 base score was rated at 6.5, indicating a medium severity.

      The attack requires no user inputs beyond the initial click. Dolev Taler, a Varonis researcher involved in the findings, showcased the vulnerability as a proof of concept. Microsoft addressed the issue on their backend, and since Copilot Enterprise is a managed service, no user intervention was necessary.

      SearchLeak relies on three separate vulnerabilities that, while individually harmless, become dangerous in combination. The first weakness is the ‘q’ parameter in the Copilot Enterprise Search URL, which is designed for natural language queries. This is exploited through a technique called parameter-to-prompt injection, allowing an attacker to craft a URL instructing Copilot to search the victim’s mailbox, retrieve data such as email subject lines, and embed it within an image URL.

      The second weakness involves a race condition in the rendering of Copilot's response. While Microsoft wraps output in code blocks to prevent execution of markup, this wrapping occurs after the response generation is completed. Consequently, the browser renders the response stream in real time, allowing an injected image tag to send a request before the sanitization process occurs.

      The final component is a server-side request forgery via Bing. The content security policy on m365.cloud.microsoft allows images from Bing but blocks those from other domains. Bing’s “Search by Image” function fetches images server-side for analysis. If an attacker provides a URL with stolen data encoded in it, Bing retrieves that data on the attacker’s behalf, circumventing any protections set by the browser.

      In summary, the attack flows as follows: the victim clicks a link, Copilot searches their data, embeds a value in a Bing image URL, and during this process, Bing fetches the attacker’s URL. The attacker can access stolen data through their server logs.

      The attack's impact is equal to what the signed-in user can access via their Microsoft Graph permissions. Time-sensitive targets included one-time codes, multi-factor authentication tokens, and password-reset links, frequently still valid for several minutes. Additional targets encompassed calendar invites, meeting notes, and any SharePoint or OneDrive files indexed by Copilot.

      Microsoft’s advisory classified this flaw as CWE-77, indicating improper sanitization of command elements. They rated it critical, but the CVSS v3.1 base score of 6.5 reflects the need for user action, specifically that single click. Though a source claimed a NVD score of 7.5, both Microsoft’s CSAF record and the NVD entry display the same CVSS:3.1 vector with a 6.5 base score.

      This is not Varonis's first instance of highlighting such a vulnerability in Copilot. Taler had previously revealed the Reprompt attack against Copilot Personal, which similarly utilized one-click methods for data exfiltration. This vulnerability was reported to Microsoft in August 2025 and resolved by January 2026. SearchLeak was effective against Enterprise Search despite extra security measures.

      A similar bug emerged independently in EchoLeak, a zero-click Copilot vulnerability disclosed by Aim Security in 2025 and tracked as CVE-2025-32711 with a CVSS score of 9.3. EchoLeak did not require user interaction, embedding prompt injections in documents automatically processed by Copilot. Collectively, these disclosures illustrate how prompt injection introduces new risks into existing web vulnerabilities.

      Well-known classes of bugs like SSRF and HTML sanitiser race conditions have been mitigated by security teams for years. However, the prompt injection layer makes them especially effective in Copilot, allowing for data exfiltration through a URL parameter intended for natural language queries. The AI does not merely search; it executes instructions embedded in user queries, which could entail data theft that a typical search interface would not permit.

      The implications extend beyond Copilot, as AI systems integrated into enterprise workflows take on user access permissions and create new vulnerabilities that existing security tools may not detect. A URL filter might not flag a link to microsoft.com, and a content security policy trusting Bing could permit exfiltration requests. Neither tool was designed for an AI intermediary that converts URL parameters into executable commands.

      For organizations using Microsoft 365 Copilot Enterprise, Varonis suggests monitoring for Copilot Search URLs containing encoded payloads or HTML within the q parameter and being vigilant for unusual outbound requests to Bing’s image endpoints. Strengthening data-access governance