A critical vulnerability chain in Microsoft 365 Copilot Enterprise has been fully patched after security researchers demonstrated that a single click on a legitimate Microsoft domain link could silently exfiltrate sensitive corporate data, including MFA codes, email contents, calendar details, and confidential files, with no further user interaction required.
Dubbed SearchLeak and tracked as CVE-2026-42824, the flaw was uncovered by Varonis Threat Labs researcher Dolev Taler and earned Microsoft’s maximum severity rating. The vulnerability has since been remediated entirely on the server side, requiring no action from end users.
SearchLeak chains three distinct weaknesses into a seamless, one-click data theft path: a Parameter-to-Prompt (P2P) Injection, an HTML rendering race condition, and a CSP bypass via Bing Server-Side Request Forgery (SSRF).
Because the attack originates from a real microsoft.com domain, conventional anti-phishing tools and URL filters fail to flag it entirely. No plugins, no elevated permissions, and no second click are required from the victim.
Stage 1: Parameter-to-Prompt Injection
Microsoft 365 Copilot Search accepts a q URL parameter designed for natural language queries. The critical flaw is that values passed to this parameter are interpreted by Copilot’s AI engine not merely as search strings but as executable instructions.
An attacker crafts a malicious URL resolving to a trusted microsoft.com domain, instructing Copilot to search the victim’s mailbox and embed extracted data within an image URL. Because the link points to a legitimate Microsoft domain, traditional anti-phishing filters provide no defense, giving the attack a clean delivery vector.
Stage 2: Racing the Guardrail
Microsoft’s primary mitigation against dangerous AI-generated HTML involves wrapping Copilot output in <code> blocks to prevent browsers from rendering it as live markup. However, this sanitization only occurs after Copilot completes its generation phase.
During the streaming phase, raw HTML including attacker-injected <img> tags is temporarily rendered live in the DOM. The browser fires the embedded HTTP request before the sanitizer ever activates. This is a textbook race-condition bypass, exploiting the gap between content generation and sanitization.
Stage 3: SSRF via Bing’s Image Search
The victim’s browser is blocked from directly contacting attacker-controlled infrastructure due to the Content Security Policy (CSP) enforced on m365.cloud.microsoft. However, *.bing.com is CSP-allowlisted.
Bing’s “Search by Image” feature accepts an imgurl parameter and performs a server-side fetch of the provided URL. The attacker encodes stolen data directly into the path of a Bing image-search URL, and Bing’s backend unknowingly relays the exfiltrated payload to the attacker’s server, bypassing the CSP entirely.
According to Varonis, a full exploit requires nothing more than a crafted link distributed via email, Microsoft Teams, Slack, or any messaging channel.
Upon clicking, Copilot silently queries the victim’s mailbox, generates a response with stolen data embedded in a Bing image URL, and the attacker’s server logs the exfiltrated information all within seconds.
Mitigation
Microsoft has fully patched SearchLeak server-side. Varonis recommends that security teams take the following steps:
- Monitor Copilot Search URLs for encoded payloads in the
qparameter containing HTML or image-embedding instructions - Audit CSP allowlists for any domain that performs server-side fetches on user-supplied URLs
- Treat AI streaming output as untrusted; sanitization must occur at render time, not as a post-processing step
- Alert users to inspect Microsoft 365 links containing long, encoded query strings before clicking
SearchLeak follows Varonis’ earlier discovery of Reprompt, a similar single-click exploit targeting Microsoft Copilot Personal, reinforcing that AI-native attack surfaces are becoming an increasingly prominent security frontier that demands dedicated defensive strategies beyond traditional perimeter controls.
No Comment! Be the first one.