Critical SearchLeak Flaw in Microsoft 365 Copilot Enabled One-Click Data Exfiltration
Varonis Threat Labs disclosed SearchLeak, a critical exploit chain in Microsoft 365 Copilot Enterprise Search that could let an attacker steal sensitive enterprise data after a user clicked a single trusted microsoft.com link. Microsoft tracked the issue as CVE-2026-42824 and remediated it on the backend. According to the researchers, the attack could expose data available through the victim’s Microsoft Graph permissions, including emails, calendar entries, meeting notes, SharePoint content, OneDrive files, and potentially MFA-related messages, though no in-the-wild exploitation was reported.
The technique chained three weaknesses: parameter-to-prompt injection through the Copilot Search q parameter, an HTML streaming race condition that allowed an injected image tag to render before sanitization, and abuse of a Bing allowlist in Content Security Policy to exfiltrate the retrieved data through Bing’s server-side image fetch behavior. Researchers said the attack required no plugins, elevated privileges, or second user interaction, highlighting how AI prompt injection can revive older web security flaws in enterprise platforms. Microsoft rated the flaw critical, while public severity scoring differed across sources, and defenders were advised to watch for suspicious Copilot Search URLs containing encoded or HTML payloads and unusual Bing image endpoint traffic.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Microsoft remediates SearchLeak as CVE-2026-42824
Microsoft remediated the SearchLeak issue on the backend and assigned it CVE-2026-42824, rating it critical. Reporting also noted differing severity scores between Microsoft and the National Vulnerability Database, and that no in-the-wild exploitation was observed.
Varonis discloses SearchLeak in Microsoft 365 Copilot
Varonis Threat Labs disclosed SearchLeak, a one-click exploit chain affecting Microsoft 365 Copilot Enterprise Search that could exfiltrate sensitive enterprise data accessible to the victim. The research described a chain involving parameter-to-prompt injection, an HTML rendering race condition, and Bing-based SSRF-assisted exfiltration.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
8 references tracked. Mallory keeps watching after this page renders.
SearchLeak: Prompt-inject enterprise Copilot with a search - Pivot to AI
pivot-to-ai.com
Open sourceКритический баг в Copilot позволял похищать коды двухфакторной аутентификации - Хакер
xakep.ru
Open sourceCritical Copilot vulnerability allowed hackers to seal 2FA code from users - Ars Technica
arstechnica.com
Open sourceSearchLeak vulnerability allows data theft from Microsoft 365 Copilot Enterprise | brief | SC Media
scworld.com
Open sourceOne-Click Microsoft 365 Copilot Flaw Could Have Let Attackers Steal Emails, Files, and MFA Codes
thehackernews.com
Open sourceSearchLeak: How We Turned M365 Copilot Into a One-Click Data Exfiltration Weapon : r/netsec
reddit.com
Open sourceSearchLeak: How We Turned M365 Copilot Into a One-Click Data Exfiltration Weapon
varonis.com
Open sourceCopilot 'SearchLeak' Attack Allows 1-Click Data Theft
darkreading.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
EchoLeak Exposed Zero-Click Data Exfiltration in Microsoft 365 Copilot
Microsoft disclosed **CVE-2025-32711**, a critical information disclosure flaw in **Microsoft 365 Copilot** that researchers later detailed as **EchoLeak**, describing it as the first reported real-world **zero-click prompt injection** exploit in a production LLM system. The vulnerability carried a **CVSS 9.3** rating and allowed a remote, unauthenticated attacker to exfiltrate sensitive data over the network without user interaction, reportedly by sending a single crafted email that Copilot would process. Research describing the exploit said the attack chained multiple bypasses across LLM trust boundaries, including evasion of Microsoft’s XPIA classifier, use of reference-style Markdown to bypass link redaction, auto-fetched images, and abuse of a Microsoft Teams proxy allowed by content security policy to extract data. Microsoft said the issue had already been fully mitigated in the cloud service and required no customer action, while the broader research and follow-on reporting framed the incident as evidence that prompt injection and "AIjacking" can enable full data exfiltration in enterprise copilots unless controls such as prompt partitioning, stronger filtering, provenance-based access control, stricter CSPs, least privilege, and continuous adversarial testing are in place.
May 29, 2026
Microsoft Copilot flaws turned prompt injection into zero-click data theft
Researchers reported that vulnerabilities in Microsoft 365 Copilot and Consumer Copilot allowed attackers to turn prompt injection into data exfiltration, memory poisoning, and persistent compromise. Microsoft assigned `CVE-2026-24299` to the main issue set and rolled out fixes across late 2025 and early 2026, while a related Microsoft Excel flaw, `CVE-2026-26144`, showed how a conventional application bug could be chained with Copilot Agent mode to silently extract spreadsheet data. In the Copilot attacks, malicious content abused HTML preview rendering to leak sensitive information through external requests, first with CSS background images and later with `@font-face`, and researchers said users could be coerced into triggering the preview during normal interaction, creating a near zero-click exfiltration path. The research also showed that Copilot’s memory features could be poisoned to add or delete stored facts and implant persistent instructions that altered future sessions, enabling a backdoor dubbed **SpAIware** that continued leaking secrets over time. Similar issues were described in consumer Copilot, including durable-memory manipulation and browser-navigation exfiltration through Edge-integrated tooling. The findings underscore a broader security shift: AI assistants can collapse trust boundaries inside host applications, raising the impact of older flaws and forcing defenders to reassess assistant permissions, restrict outbound network access from AI-enabled apps, and separately monitor AI-initiated network activity.
May 4, 2026
Microsoft Fixes Copilot, Azure, and Bing Images Flaws Including Critical RCE
Microsoft disclosed a set of security flaws affecting cloud and AI services, including **Microsoft 365 Copilot**, **Microsoft Copilot**, **Microsoft 365 Copilot BizChat**, **Azure DevOps**, **Azure Cloud Shell**, **Azure Data Factory**, **Microsoft Bing**, and **Microsoft Bing Images**. The issues span **information disclosure**, **elevation of privilege**, **tampering**, and **remote code execution**, with published identifiers including `CVE-2026-24299`, `CVE-2026-26136`, `CVE-2026-26137`, `CVE-2026-23658`, `CVE-2026-32169`, `CVE-2026-23659`, `CVE-2026-26120`, and `CVE-2026-32191`. Germany's dCERT separately highlighted multiple vulnerabilities in **Microsoft 365 Copilot**, underscoring enterprise concern around AI-assisted productivity platforms. The most severe issue in the group is **`CVE-2026-32191`**, a **critical remote code execution** flaw in **Microsoft Bing Images**. Public reporting tied the bug to **OS command injection** caused by improper neutralization of special elements in a command, potentially allowing an unauthenticated attacker to execute code over a network. Additional Bing exposure was tracked as **`CVE-2026-26120`**, a tampering vulnerability, while the Copilot-related flaws included both **information disclosure** and **privilege escalation**, indicating risk to data confidentiality and tenant-level access boundaries across Microsoft's hosted services.
Jun 19, 2026