A vulnerability chain in Microsoft 365 Copilot Enterprise could have allowed attackers to steal sensitive corporate data with nothing more than a single click on a malicious link.
Varonis researchers found that SearchLeak abused Microsoft 365 Copilot search to access emails, meetings, security codes, and private files without account compromise or elevated privileges.
“Both Microsoft 365 Copilot attack variants we found rely on the same delivery method, a Copilot link containing a prompt injection,” said Dor Yardeni, director of cybersecurity research at Varonis, in an email to eSecurityPlanet.
He explained, “The first one we found targeted Copilot Personal, while the second extends the technique to Copilot Enterprise.”
Dor added, “It is important to note that the blast radius effectively spans everything the user can access: emails, documents, meeting data, and even security-related content.”
Key Takeaways about SearchLeak
- SearchLeak allowed attackers to potentially exfiltrate sensitive Microsoft 365 data with a single click on a malicious Copilot link.
- The vulnerability chain combined a parameter-to-prompt (P2P) injection flaw, an HTML rendering race condition, and a Bing-based SSRF vulnerability.
- Because Copilot operates with a user’s existing permissions, attackers could potentially access emails, files, meeting data, MFA codes, and other business-critical information.
- The attack leveraged trusted Microsoft domains, making malicious links more difficult for traditional phishing and URL filtering tools to detect.
- Microsoft has patched the vulnerability, but the research highlights the growing need for AI governance, access controls, and monitoring around enterprise AI platforms.
Why SearchLeak Matters
Microsoft 365 Copilot Enterprise can search across a user’s emails, calendars, SharePoint sites, OneDrive files, and other Microsoft 365 data.
Because Copilot operates with the user’s existing permissions, a successful attack could expose any information the victim is authorized to access.
How the Vulnerability Chain Works
Researchers found that the attack chain combined three separate vulnerabilities to enable silent data theft.
The first involved a parameter-to-prompt (P2P) injection flaw in Microsoft 365 Copilot Enterprise Search.
By embedding malicious instructions within a URL parameter, an attacker could trick Copilot into treating the input as a legitimate prompt and searching the victim’s mailbox, calendar, and organizational data on the attacker’s behalf.
The second stage exploited an HTML rendering race condition.
Although Microsoft had implemented safeguards designed to neutralize potentially dangerous HTML content, researchers discovered that AI-generated output could briefly render in the browser before those protections were applied.
This allowed malicious image tags to execute and initiate outbound requests before the content was sanitized.
The final stage leveraged a server-side request forgery (SSRF) vulnerability through Bing’s image-search functionality.
Because Bing was already allowlisted within Microsoft’s Content Security Policy (CSP), attackers could abuse the trusted service as an intermediary to retrieve and transmit data to attacker-controlled infrastructure without triggering many traditional security controls.
Potential Impact of the Attack Chain
Together, these vulnerabilities enabled attackers to silently exfiltrate sensitive information with a single click on a malicious link.
Potentially exposed data included email content, password reset links, multifactor authentication (MFA) codes, meeting details, SharePoint documents, OneDrive files, confidential business communications, and other indexed corporate data.
The attack was concerning because the malicious URLs pointed to legitimate Microsoft domains, making them less likely to be flagged by traditional anti-phishing, URL filtering, and email security solutions.
Microsoft has already released a patch to address the vulnerability chain.
How Organizations Can Mitigate Risk
Organizations using Microsoft 365 Copilot Enterprise should take steps to reduce the risk of AI-driven data exposure and prompt injection attacks.
- Verify that Microsoft 365 Copilot Enterprise is fully patched and review Microsoft’s guidance related to CVE-2026-42824.
- Monitor Copilot activity, Microsoft Graph access, and AI-generated searches for unusual behavior, suspicious prompts, or potential data exfiltration attempts.
- Apply least-privilege access controls and regularly review permissions for SharePoint, OneDrive, Exchange, Teams, and other Copilot-connected services.
- Use data classification, sensitivity labels, and data loss prevention (DLP) controls to reduce the exposure of sensitive information through AI-enabled workflows.
- Review Content Security Policy allowlists and investigate trusted services that could be abused to perform server-side requests or bypass security controls.
- Treat AI-generated output as untrusted content and conduct regular AI security assessments to identify prompt injection and data exposure risks.
- Test incident response plans and AI-specific attack scenarios, including prompt injection, unauthorized data access, and AI-assisted data exfiltration attempts.
Together, these measures can help organizations reduce exposure to AI-driven data theft while building resilience against prompt injection, unauthorized access, and future Copilot-related attack chains.
Bottom Line
SearchLeak serves as a reminder that AI platforms should be evaluated as high-value enterprise applications with access to sensitive data, not simply productivity tools.
The vulnerability also highlights how attackers are increasingly combining traditional web exploits with AI-specific attack techniques to bypass security controls and access business-critical information.
Growing AI adoption is driving organizations to strengthen AI governance around security, compliance, and responsible use.