A critical security vulnerability in Microsoft 365 Copilot Enterprise, identified as CVE-2026-42824 and dubbed “SearchLeak,” has been discovered, allowing attackers to exfiltrate sensitive corporate data with a single click. This flaw enables unauthorized access to multi-factor authentication (MFA) codes, email contents, calendar details, and confidential files by exploiting a legitimate Microsoft domain link.
Uncovered by Varonis Threat Labs, the vulnerability combines three distinct weaknesses into a chained exploit, transforming Copilot Enterprise Search into a silent data exfiltration tool. The attack sequence involves:
Microsoft 365 Copilot Vulnerability Chain
Stage 1 — Parameter-to-Prompt (P2P) Injection: The attack begins by manipulating the ‘q’ URL parameter in Microsoft 365 Copilot Search. Instead of treating the parameter as a simple search query, Copilot’s AI engine interprets it as executable instructions. An attacker crafts a malicious URL pointing to a trusted Microsoft domain, instructing Copilot to search the victim’s mailbox and embed the extracted data within an image URL. Due to the link’s association with a legitimate Microsoft domain, traditional anti-phishing tools fail to detect the threat.
Stage 2 — HTML Rendering Race Condition: Microsoft attempts to mitigate dangerous AI-generated HTML by wrapping Copilot’s output in `` blocks, preventing browsers from rendering it as active markup. However, during the streaming phase of Copilot's response generation, raw HTML—including attacker-injected `` tags—is temporarily rendered live in the Document Object Model (DOM). This creates a race condition where the browser processes the malicious HTML before the sanitizer activates, allowing the attack to proceed.
Stage 3 — Server-Side Request Forgery (SSRF) via Bing: The victim's browser is restricted from directly contacting attacker-controlled servers due to the Content Security Policy (CSP) on `m365.cloud.microsoft`. However, `*.bing.com` is CSP-allowlisted. By exploiting Bing's "Search by Image" feature, which accepts an `imgurl` parameter and performs a server-side fetch of the provided URL, the attacker embeds the stolen data directly in the path of this Bing image-search URL. Consequently, Bing's backend inadvertently relays the stolen data to the attacker's server, effectively bypassing the CSP.
The complete attack requires only a crafted link sent via email, Teams, Slack, or any messaging platform. When clicked, Copilot silently searches the victim's mailbox, generates a response with embedded stolen data in an image URL, and transmits it to the attacker's server without any further user interaction.
Microsoft has acknowledged the severity of this vulnerability and has since released a patch to address the issue. Organizations utilizing Microsoft 365 Copilot Enterprise are strongly advised to apply the latest security updates promptly to mitigate potential risks.
This incident underscores the evolving nature of cyber threats targeting AI-powered tools. As enterprises increasingly integrate AI assistants into their workflows, it becomes imperative to implement robust security measures and remain vigilant against sophisticated attack vectors that exploit these advanced technologies.
