SearchLeak (CVE-2026-42824): one click turns M365 Copilot into a data-theft proxy

What is this?

On June 15, 2026, Varonis Threat Labs published the exploitation mechanics behind CVE-2026-42824, an information-disclosure flaw in Microsoft 365 Copilot Enterprise Search that they named SearchLeak. When Microsoft shipped the CVE on its June Patch Tuesday it gave only the weakness class and impact; we logged it at the time but noted the mechanics were withheld. Varonis has now filled that gap with a documented proof-of-concept.

The result: a single click on a link pointing to a genuine microsoft.com domain could exfiltrate a victim’s emails, calendar entries, meeting notes and indexed SharePoint/OneDrive files — including one-time passcodes and MFA codes sitting in their inbox — with no prompt to the user and no second interaction. Microsoft assigned it a critical rating; the CVSS scores disagree (6.5 from Microsoft, 7.5 from the NVD). Microsoft mitigated it server-side at the start of June 2026, and Varonis reported a PoC only, with no observed exploitation in the wild.

How it works

SearchLeak is interesting precisely because no single bug in it is novel. It chains one AI-specific weakness onto two well-worn web bugs, and each link enables the next.

1. Parameter-to-Prompt (P2P) injection. Copilot Enterprise Search reads its q URL parameter — meant for a natural-language query — as instructions rather than as a search string. A crafted link can therefore tell Copilot to search the signed-in user’s mailbox, take a field such as an email subject, and embed it in an image URL. The victim types nothing; clicking the link is enough.
2. HTML rendering race condition. Microsoft’s guardrail wraps Copilot output in <code> blocks so markup renders as inert text. But the wrapping is applied after generation completes, while the browser renders the stream as it arrives. An injected <img> tag is drawn and fires its request before the sanitizer runs.
3. CSP bypass via Bing SSRF. The Content-Security-Policy on m365.cloud.microsoft blocks images from arbitrary domains but allowlists *.bing.com. Bing’s “Search by Image” endpoint accepts an image URL and fetches it server-side. Pointed at an attacker server with stolen text encoded in the path, Bing retrieves it — and because the request originates from Bing’s infrastructure, the browser CSP never applies. Bing becomes an unwitting exfiltration proxy.

Put together: the victim clicks, Copilot searches their data, the streamed response embeds a value such as an email subject in a Bing image URL, the browser calls Bing mid-stream, and Bing pulls the attacker’s URL. The attacker reads the secret off their own server logs. From the victim’s side, all they see is Copilot “thinking” for a moment. No payload is reproduced here; none is needed to understand the lesson.

Why it matters

Copilot Enterprise can reach whatever the signed-in user can through their Microsoft Graph access, and SearchLeak lets an attacker inherit that reach without ever authenticating. The highest-value target is the inbox: one-time codes, MFA codes and password-reset links often remain valid for minutes, long enough to script an account takeover before anyone notices. The same access touches calendars, meeting notes and any indexed file holding salary data, earnings figures or deal plans.

The structural point is the one Varonis stresses: prompt injection reanimates old, normally-contained bug classes. SSRF and sanitizer races are decades old and usually low-impact; the new P2P-injection primitive makes them reachable in a context where they suddenly aren’t. This is the same shape as EchoLeak (CVE-2025-32711) in 2025 and the earlier Reprompt technique against Copilot Personal, and it rhymes with our coverage of CoPirate 365 and ShareLeak in Copilot Studio. It is also the lethal trifecta in production: private data, untrusted content, and an outbound channel, all in one turn.

Defenses

SearchLeak is fixed server-side, and because Copilot Enterprise is a managed service, tenant admins cannot patch the components that failed. What you can do is detect and shrink blast radius:

• Monitor for the injection signature. Watch for Copilot Search URLs carrying encoded payloads or HTML in the q parameter, and for unusual outbound requests to Bing image endpoints correlated with Copilot sessions.
• Minimize what Copilot can index. Tighten data-access governance and apply least-privilege to the connectors and sites Copilot indexes — every file it cannot see is a file a future leak cannot reach.
• Treat model output as untrusted input downstream. The root cause is markup from an LLM response acting on a browser sink before neutralization. Architecturally, render-then-sanitize is unsafe; sanitize before any streamed token can trigger a fetch, and constrain CSP allowlists (an allowlisted domain with an SSRF fetch primitive is an exfiltration channel).
• Reduce the value of leaked secrets. Phishing-resistant authentication (passkeys/FIDO2) blunts the theft of one-time and MFA codes that makes this chain dangerous.
• User-side hygiene. A link on a legitimate microsoft.com domain defeats anti-phishing and URL filtering, so URL reputation is not a control here. Treat unsolicited Copilot Search links as you would any unsolicited action link.

Status

Item	Value
Identifier	CVE-2026-42824 (“SearchLeak”)
Affected	Microsoft 365 Copilot Enterprise Search
Class	Prompt injection → HTML render race → Bing SSRF (CSP bypass)
Impact	Information disclosure / one-click data exfiltration
Severity	Microsoft: critical · CVSS 6.5 (MSRC) / 7.5 (NVD)
Disclosed	June 15, 2026 (Varonis Threat Labs)
Patch	Mitigated server-side, early June 2026 — no customer action required
In the wild	No observed exploitation; PoC only