cve-2026-42824

Varonis Threat Labs chained three bugs in Microsoft 365 Copilot Enterprise Search to build a one-click exfiltration path that pulls emails, files, and live MFA codes without any OAuth prompt or user consent beyond clicking a Microsoft-domain URL.