A single click on a Microsoft link could have emptied your inbox. Here’s how SearchLeak operated.

      TL;DR Varonis discovered three interconnected vulnerabilities in Microsoft 365 Copilot Enterprise Search that could allow an attacker to steal data with just one click on a microsoft.com link. Researchers from Varonis Threat Labs revealed a vulnerability chain, named SearchLeak, that could enable data theft of emails, calendar entries, and indexed files by using a specially crafted URL from a legitimate microsoft.com domain, making it difficult for traditional anti-phishing and URL filtering tools to detect. Microsoft assigned CVE-2026-42824 on June 4, categorizing it as critical; however, its CVSS v3.1 base score was 6.5, classified as medium.

      The victim did not need to enter a prompt, provide a password, or click anything additional. Dolev Taler, a Varonis researcher mentioned in Microsoft's advisory, showcased the attack as a proof of concept. Microsoft addressed the issue on its backend, and as Copilot Enterprise is a managed service, no action was required from customers.

      SearchLeak exploits three separate vulnerabilities, each harmless on its own but destructive in conjunction. The initial vulnerability lies in the q parameter in the Copilot Enterprise Search URL, intended for natural language queries. Varonis describes this as parameter-to-prompt injection, allowing an attacker to create a URL instructing Copilot to search the victim’s mailbox, pull specific data like an email subject line, and incorporate it into an image URL.

      When the victim clicks the link, Copilot executes the command without further input. The second weakness is a race condition in how Copilot's response is rendered. Microsoft’s security mechanism encapsulates output in code blocks so that the browser treats markup as text, but this encapsulation occurs after Copilot has finished generating the output. Therefore, the browser renders the information as it comes in, allowing the injected image tag to trigger its request before the sanitization process is complete.

      The final part of the chain is a server-side request forgery via Bing. The content security policy on m365.cloud.microsoft.com prevents images from arbitrary domains but allows those from *.bing.com. Bing’s “Search by Image” feature retrieves and analyzes images server-side. By directing that fetch to an attacker’s server with stolen data encoded in the image URL, Bing fetches it on behalf of the attacker. The browser's CSP does not come into play because the request originates from Bing's infrastructure.

      In summary, the sequence unfolds as follows: the victim clicks a link, Copilot searches their data, the response embeds a value in a Bing image URL, the browser contacts Bing during the data stream, and Bing retrieves the attacker’s URL. The attacker can then access the stolen data from their server logs, such as a request for /Your_Security_Code_847291/img.png.

      The impact of the attack was equivalent to what the signed-in user could access through their Microsoft Graph permissions. The most pressing targets included one-time codes, MFA tokens, and password reset links in the inbox, often still valid for several minutes. Additionally, items like calendar invites, meeting notes, and indexed SharePoint or OneDrive files were also vulnerable.

      Microsoft's advisory classifies the flaw as CWE-77, which indicates improper neutralization of special elements in a command. The flaw was rated critical by Microsoft, but the base CVSS v3.1 score of 6.5 reflects the necessity for user interaction, namely that single click. While the source article mentioned an NVD score of 7.5, both Microsoft’s CSAF record and the NVD entry show an identical CVSS:3.1 vector with a base score of 6.5.

      SearchLeak marks the second occasion Varonis has demonstrated this type of vulnerability in Copilot, with Taler previously uncovering the Reprompt attack against Copilot Personal, which similarly used a one-click method for data exfiltration. That flaw was reported to Microsoft in August 2025 and patched by January 2026.

      Despite the extra security measures intended for Enterprise Search, SearchLeak proved effective. A similar flaw arose independently in EchoLeak, a zero-click vulnerability in Copilot disclosed by Aim Security in 2025, tracked as CVE-2025-32711 and assigned a CVSS score of 9.3. EchoLeak did not require user interaction, embedding prompt injections in documents processed automatically by Copilot. Together, these disclosures indicate that prompt injection is a new factor that revitalizes traditional web vulnerabilities.

      Server-side request forgery and HTML sanitizer race conditions are widely recognized classes of bugs that security teams have actively been mitigating for years. However, their danger in Copilot arises from the prompt injection layer, which facilitates triggering them through a URL parameter designed for natural language queries. The AI system not only conducts searches but also executes instructions embedded within queries—an action that could not be performed through standard search interfaces.

      The implications of these vulnerabilities extend beyond Copilot. AI systems embedded in enterprise