A significant security vulnerability in Microsoft 365 Copilot Enterprise has been identified, allowing attackers to hijack sensitive corporate data, including multifactor authentication codes, email contents, and confidential files. This flaw can be exploited with just one click on a link that appears to be from a legitimate Microsoft domain.
Understanding the SearchLeak Vulnerability
Known as SearchLeak and discovered by Varonis Threat Labs, this vulnerability, tracked as CVE-2026-42824, received the highest severity rating from Microsoft before it was patched. Unlike typical flaws, SearchLeak is a combination of AI-specific and traditional web security issues, turning Microsoft 365 Copilot Enterprise Search into a covert data extraction tool.
SearchLeak is not a singular flaw but a chain of exploits that transforms Microsoft 365 Copilot Enterprise Search into a stealthy exfiltration channel. Varonis researcher Dolev Taler detailed how the attack leverages three separate vulnerabilities: a Parameter-to-Prompt (P2P) Injection, an HTML rendering race condition, and a Server-Side Request Forgery (SSRF) through Bing’s image search.
The Mechanics of the Exploit
Each vulnerability within the chain is manageable on its own, but when combined, they enable a one-click attack that can extract any accessible data from a targeted Microsoft 365 tenant. This does not require special permissions, plugins, or additional actions from the user.
The first stage exploits the P2P Injection, where the q URL parameter in Microsoft 365 Copilot Search is interpreted by the AI engine as executable instructions rather than just a search query. By crafting a malicious URL pointing to a trusted Microsoft domain, attackers can instruct Copilot to extract data and embed it into an image URL.
In the second stage, the attack exploits a race condition bypass. Although Copilot’s output is wrapped in blocks to prevent HTML from rendering, raw HTML is temporarily live in the DOM during the streaming phase. This allows the attacker’s injected tags to execute before sanitization occurs.
Server-Side Request Forgery Exploit
In the final stage, Bing’s image search feature, which accepts an imgurl parameter, is used. As Bing is CSP-allowlisted, it unknowingly fetches and relays stolen data to the attacker’s server, circumventing the Content Security Policy entirely.
This sophisticated attack takes just one click on a crafted link sent through various communication channels. Once clicked, Copilot silently retrieves the victim’s data, embeds it in a Bing image URL, and transfers it to the attacker’s server instantly.
Mitigation and Future Implications
Microsoft has addressed the SearchLeak vulnerability on the server-side, requiring no action from users to receive the patch. However, Varonis advises security teams to monitor Copilot Search URLs for encoded payloads and audit CSP allowlists for domains that perform server-side fetches on user-supplied URLs.
These findings highlight the evolving threat landscape as AI tools introduce new vulnerabilities by reactivating old, previously safe weaknesses. It is crucial for organizations to adapt to these changes and ensure robust security measures.
