What is SearchLeak and which Microsoft product does it affect?

SearchLeak (CVE-2026-42824) is a one-click data exfiltration chain disclosed by Varonis Threat Labs in June 2026 affecting Microsoft 365 Copilot Enterprise Search. The vulnerability chains a parameter-to-prompt injection, an HTML rendering race condition, and a Bing-side SSRF to extract a victim's emails, calendar events, OneDrive files, SharePoint content, and inbox-resident MFA codes when the victim clicks a crafted URL that points to a legitimate Microsoft domain.

Does SearchLeak require any user interaction beyond clicking a link?

No. The victim needs only to click the malicious URL — there is no OAuth consent screen, no credential prompt, and no command to type. The injected instructions execute within Copilot's context using the victim's existing permissions. Because the URL resolves to a real Microsoft domain, standard anti-phishing and URL-filtering controls are unlikely to flag it as suspicious.

Has Microsoft patched SearchLeak and do customers need to take action?

Microsoft deployed a server-side mitigation in early June 2026, prior to Varonis's public disclosure on June 15, 2026. Customers do not need to apply a patch — the fix was implemented on Microsoft's backend. No in-the-wild exploitation was observed. However, the underlying attack class (parameter-to-prompt injection combined with CSP bypass through trusted infrastructure) is not unique to this specific flaw and remains relevant for any enterprise deploying RAG-based AI assistants.

SearchLeak: One-Click Exfiltration from M365 Copilot

Varonis Threat Labs disclosed a critical vulnerability chain in Microsoft 365 Copilot Enterprise Search on June 15, 2026 that reduced enterprise data theft to a single link click. The attack, named SearchLeak and assigned CVE-2026-42824, required no OAuth consent, no credential entry, and no user awareness that anything had occurred. A victim who clicked a URL pointing to a legitimate Microsoft domain could have their inbox, calendar, OneDrive, and SharePoint content silently exfiltrated, including one-time MFA codes still valid for use.

Microsoft patched the specific vulnerability server-side before Varonis published. But SearchLeak is worth studying regardless: it’s a clean demonstration of how parameter-to-prompt injection, timing-dependent output handling, and trusted-infrastructure SSRF chain together in production AI systems.

The Three-Bug Chain

SearchLeak is not a single flaw. It chains three separate weaknesses, each necessary but insufficient alone.

Bug 1: Parameter-to-Prompt Injection via the Search Query

Microsoft 365 Copilot Enterprise Search accepts a q URL parameter that populates the natural-language search query sent to Copilot. The parameter value was not adequately sanitized before being incorporated into the Copilot prompt context.

An attacker could craft a URL where the q value included instructions for Copilot rather than a search term: instructions to retrieve specific documents, summarize inbox content, or locate authentication codes. Copilot, receiving these instructions as part of its prompt via the URL, would execute them using the logged-in user’s existing Microsoft Graph permissions. This is parameter-to-prompt injection, the URL-surface equivalent of indirect prompt injection.

The critical detail: the victim’s click was the trigger. The link pointed at microsoft.com or a subdomain, so it would not be flagged by URL filtering that pattern-matches against known-malicious domains. The user might receive it in an email, a Teams message, or a shared document comment, appearing as a routine link to a Microsoft resource.

Bug 2: HTML Rendering Race Condition

After Copilot generated a response including the exfiltrated data, the output should have passed through sanitization before rendering. Varonis identified a race condition where an injected <img> tag could fire before that sanitization completed.

The src URL of the injected image could be constructed to include Copilot’s response data as a query parameter, effectively encoding the stolen content in an outbound HTTP request triggered at render time. The image element itself would be invisible to the user.

Bug 3: Bing SSRF to Bypass Content Security Policy

Enterprise web applications use Content Security Policy headers to control which external origins a page may contact. Microsoft 365 Copilot Enterprise Search’s CSP unsurprisingly allows connections to Microsoft and Bing infrastructure.

The race-condition image request did not go directly to an attacker-controlled server, which the CSP would have blocked. Instead, Varonis routed it through Bing’s image-fetching infrastructure: a server-side request forgery where Bing fetched the attacker-specified URL on behalf of the page. Because the outbound request originated from Bing’s infrastructure, the CSP saw a permitted Microsoft origin and allowed it. The attacker-controlled endpoint received the request, including the stolen data encoded in the URL.

The three bugs compose into a complete exfiltration path: the q parameter gets attacker instructions into Copilot’s prompt, the race condition gets data into an outbound request before it can be sanitized, and the Bing SSRF routes that request past the CSP.

What Could Be Exfiltrated

Copilot Enterprise Search operates under the victim’s Microsoft Graph permissions, meaning it can access whatever the victim’s account can access: email, calendar events, Teams messages, OneDrive files, SharePoint documents, and indexed external data sources connected to the tenant.

The most time-sensitive exposure was inbox-resident authentication codes. Users frequently receive MFA codes, one-time passwords, and password-reset links by email. These are valid for short windows, often two to ten minutes. A successful SearchLeak execution could extract a live authentication token while it remained valid, potentially enabling account access in the same attack window, without the attacker needing any prior credential.

CVSS scoring for CVE-2026-42824 reflects some tension. Microsoft’s advisory scored it 6.5; the National Vulnerability Database assigned 7.5. The discrepancy reflects standard scope debates around network-accessible vulnerabilities that require no privileges but also require victim interaction (clicking a link). Given the no-consent-required exfiltration path and the MFA code exposure, most practitioners would treat the real-world impact as higher than either score suggests.

Why the Microsoft-Domain Delivery Vector Matters

SearchLeak’s delivery mechanism deserves attention separate from the technical vulnerability chain. A phishing link to attacker-hosting.xyz/malicious is easily flagged by email gateways, browser reputation systems, and trained security awareness instincts. A link to copilot.microsoft.com/search?q=... is not. It looks like a Copilot search link.

This is the pattern that makes AI assistant attack surface genuinely novel for enterprise defenders: the trusted services employees interact with daily become potential delivery vectors. The attack does not require the attacker to register infrastructure, evade reputation scoring, or social-engineer a user into ignoring warnings. It uses Microsoft’s infrastructure end to end.

Defensive Considerations

The specific SearchLeak vulnerability was patched server-side by Microsoft before public disclosure. No customer action is required for the disclosed CVE. The broader defensive posture for Copilot and similar RAG-based enterprise AI assistants involves several layers.

Copilot sensitivity and access scope controls. Microsoft 365 Copilot respects existing permissions, which means tightening underlying data access directly reduces exfiltration scope. Files with overpermissioned sharing, emails in shared mailboxes accessible to broad groups, and SharePoint documents with organisation-wide read access expand what Copilot can retrieve on a user’s behalf. Sensitivity label enforcement and Microsoft Purview integration limit what Copilot surfaces even when the underlying data is accessible.

Audit Copilot activity logs. Microsoft 365 Copilot generates audit events via Microsoft Purview Audit, including the queries submitted and the data sources accessed in generating responses. Anomalous Copilot usage patterns, particularly searches for credentials, authentication codes, or high-value document categories, should generate alerts. This is detective rather than preventive, but it closes the visibility gap that existed during the SearchLeak disclosure window.

Monitor for URL-based prompt injection patterns. Security teams maintaining Microsoft 365 tenants should assess whether monitoring for unusual Copilot query patterns is feasible given their logging setup. Queries arriving via URL parameters rather than interactive input, particularly those containing instruction-style language, are worth flagging for review.

Treat the attack class, not just the CVE. Parameter-to-prompt injection into AI assistant endpoints is not a Microsoft-specific problem. Any product that takes natural language input via URL, integrates it into a large language model context, and operates with user permissions creates a similar attack surface. The SearchLeak chain is specific to M365 Copilot’s implementation, but the pattern will appear in other enterprise AI products.

SearchLeak sits alongside EchoLeak (CVE-2025-32711), disclosed the previous year by Aim Security in the same product family, as evidence that enterprise AI assistant attack surface is actively being probed by security researchers. Both chains exploited the combination of RAG retrieval and insufficient prompt isolation to create novel exfiltration paths that traditional network and endpoint controls do not detect.