A newly disclosed attack chain, dubbed SearchLeak, demonstrated how threat actors could transform Microsoft 365 Copilot Enterprise into a powerful one-click data exfiltration tool. By exploiting a sequence of vulnerabilities, attackers were able to extract sensitive corporate information from Microsoft 365 environments without requiring victims to enter commands or approve suspicious actions.
SearchLeak: A Critical Microsoft 365 Copilot Vulnerability
The vulnerability chain affected Microsoft 365 Copilot Enterprise Search, the AI-powered capability designed to retrieve information from organizational resources such as Outlook mailboxes, SharePoint repositories, OneDrive storage, and calendar data.
Successful exploitation could expose highly sensitive assets, including:
- Email conversations containing passwords, authentication codes, or confidential discussions.
- Calendar events and meeting details.
- Internal documents stored in SharePoint and OneDrive.
- Any information accessible through Copilot Enterprise Search.
Microsoft addressed the issue earlier this month and assigned it CVE-2026-42824, classifying the flaw as Critical, the highest severity level.
How the SearchLeak Attack Worked
Security researchers from Varonis discovered that the attack relied on chaining together three weaknesses that, independently, posed limited risk but collectively enabled large-scale data theft.
Stage 1: Parameter-to-Prompt Injection
The attack began with a parameter-to-prompt (P2P) injection vulnerability involving the q parameter used by Microsoft 365 Copilot Search.
Unlike traditional Copilot experiences that primarily generate content, Copilot Enterprise Search directly interacts with enterprise data sources, including emails, meetings, SharePoint files, and OneDrive content.
Attackers crafted malicious URLs containing hidden instructions that Copilot interpreted as legitimate search prompts. Once a victim clicked the link, Copilot automatically executed the embedded commands.
For example, the injected prompt could instruct Copilot to:
- Search the user’s mailbox.
- Extract specific pieces of information.
- Reformat the results into a predefined output structure.
No manual interaction beyond opening the link was required.
Stage 2: Exploiting an HTML Rendering Race Condition
The second phase leveraged an HTML rendering race condition.
During response generation, Copilot streams its output progressively to the browser. Researchers found that raw HTML could briefly render before Microsoft neutralized it by enclosing the content within protected code blocks.
This short timing window allowed attacker-controlled HTML elements, particularly <img> tags, to execute before sanitization completed.
As a result, outbound requests could be triggered using data generated by Copilot itself.
Stage 3: Bing SSRF Enables CSP Bypass
The final component involved a Server-Side Request Forgery (SSRF) vulnerability in Bing’s “Search by Image” functionality.
Normally, Content Security Policy (CSP) protections restrict unauthorized outbound communications from browsers. However, Bing’s image retrieval process unintentionally acted as an intermediary.
When Copilot generated an image reference containing stolen information embedded within the URL, Bing fetched the resource on the attacker’s behalf.
This behavior effectively bypassed CSP restrictions because the request originated from a trusted Microsoft service.
The attacker could then retrieve the exfiltrated data directly from server logs.
Why SearchLeak Matters for Enterprise Security
The most concerning aspect of SearchLeak was its simplicity from the victim’s perspective.
Employees only observed Copilot processing a request for a few moments. There were no obvious warning signs, suspicious pop-ups, or visible indicators that confidential information was leaving the environment.
The incident highlights a growing cybersecurity reality: artificial intelligence systems can amplify the impact of well-known vulnerability classes.
Traditional weaknesses such as:
- Prompt injection,
- SSRF vulnerabilities,
- HTML injection flaws,
- Race conditions,
can become significantly more dangerous when integrated into AI workflows capable of accessing sensitive enterprise data.
Security Lessons for Organizations Using AI
Although Microsoft has remediated CVE-2026-42824, SearchLeak serves as an important reminder that organizations adopting generative AI technologies must reassess existing threat models.
Security teams should prioritize:
- Continuous monitoring of AI-integrated business applications.
- Prompt injection testing during security assessments.
- Rigorous validation of AI output rendering mechanisms.
- Enhanced detection capabilities for abnormal data access patterns.
- Red team exercises specifically targeting AI-assisted workflows.
As enterprise adoption of AI accelerates, defenders must recognize that familiar vulnerabilities are evolving in unexpected ways. The convergence of generative AI, enterprise search capabilities, and legacy bug classes is creating entirely new attack paths—requiring organizations to adapt their cybersecurity strategies before threat actors do.