A single click on a Microsoft link might have emptied your inbox. Here’s how SearchLeak functioned.

      TL;DR: Varonis uncovered a trio of interconnected vulnerabilities in Microsoft 365 Copilot Enterprise Search, allowing an attacker to steal data with a single click on a microsoft.com link. Researchers at Varonis Threat Labs revealed that this vulnerability chain, termed SearchLeak, could enable the theft of emails, calendar entries, and indexed files through a carefully crafted URL on a legitimate microsoft.com domain, making it less likely to be flagged by standard anti-phishing or URL filtering measures. Microsoft designated CVE-2026-42824 on June 4, categorizing it as critical, although the CVSS v3.1 base score was assessed at 6.5, indicating a medium severity.

      The victim did not have to input a prompt, enter a password, or click again. Dolev Taler, a Varonis researcher featured in Microsoft's advisory, demonstrated this attack as a proof of concept. Microsoft addressed the issue on their backend, requiring no action from users because Copilot Enterprise is a managed service.

      SearchLeak exploits three separate vulnerabilities that, when combined, can be quite damaging. The initial vulnerability involves the q parameter in the Copilot Enterprise Search URL, which is designed for natural-language queries. Varonis refers to this as parameter-to-prompt injection, where an attacker crafts a URL instructing Copilot to search the victim's mailbox, pull a data point like an email subject, and embed it within an image URL.

      The process unfolds as follows: the victim clicks the link, triggering Copilot to search their data. The response then integrates a value within a Bing image URL, and during streaming, the browser contacts Bing, which retrieves the attacker's data encoded in the URL path. This means the browser’s content security policy (CSP) does not apply since the request stems from Bing’s infrastructure.

      The attack grants access to anything the signed-in user can access through their Microsoft Graph permissions, including sensitive one-time codes, MFA tokens, and links for password resets, which often remain active for several minutes. Other accessible data items include calendar invites, meeting notes, and any SharePoint or OneDrive files indexed by Copilot.

      Microsoft categorized the flaw under CWE-77, which pertains to improper neutralization of special elements used in commands. The company regarded it as critical, yet the CVSS v3.1 score of 6.5 reflects the necessity for user interaction—a single click. A source article implied that the NVD assigned a score of 7.5, but both Microsoft's CSAF record and the NVD listing show the same CVSS:3.1 vector with a 6.5 base score.

      This incident marks the second instance where Varonis has demonstrated this vulnerability pattern against Copilot. Taler previously revealed the Reprompt attack on Copilot Personal, employing a similar one-click method for data exfiltration. That vulnerability was reported to Microsoft in August 2025 and resolved by January 2026. Despite additional safeguards, SearchLeak proved effective against Enterprise Search.

      Another similar issue was disclosed by Aim Security in 2025, known as EchoLeak, a zero-click vulnerability tracked as CVE-2025-32711 with a CVSS score of 9.3, which required no user engagement at all by embedding prompt injections in documents processed automatically by Copilot. Collectively, these disclosures highlight a trend where prompt injection makes traditional web vulnerabilities significantly more dangerous.

      The presence of SSRF and HTML sanitizer race conditions are well-established and typically mitigated by security teams. However, the interaction with prompt injection on Copilot creates a route to trigger these vulnerabilities through a URL parameter meant for natural language input. Unlike conventional search interfaces, the AI system follows embedded instructions that could include data exfiltration logic.

      The concerns extend beyond Copilot, as AI systems embedded in enterprise workflows adopt the access permissions of their users while also introducing new attack vectors that existing security frameworks might not recognize. For instance, a URL filter that assesses domain reputation would likely accept a link to microsoft.com, and a CSP that trusts Bing would permit the exfiltration request. Neither tool was designed to manage the risks presented by an AI intermediary that converts URL parameters into actionable instructions.

      For organizations using Microsoft 365 Copilot Enterprise, Varonis suggests monitoring Copilot Search URLs for encoded payloads or HTML in the q parameter and tracking suspicious outbound requests to Bing's image endpoints. Enhancing data-access governance so that Copilot indexes less information could limit the potential impact of any future vulnerabilities.

      Microsoft resolved the SearchLeak issue before any exploitation was observed in the wild and stated there is no evidence of malicious activity. However, the swift proliferation of Copilot in enterprise and public-sector contexts indicates an expanding attack surface faster than the protective measures implemented, with three disclosures in six months each circumventing previously established safeguards. This trend underscores the ongoing challenge of balancing extensive data access for AI tools with the necessity of maintaining data security.