Full Report
A single click on a trusted Microsoft link could have let an attacker pull emails, calendar details, and indexed files out of Microsoft 365 Copilot Enterprise Search. Researchers at Varonis Threat Labs chained three bugs into a one-click exfiltration path they call SearchLeak. Because the link pointed to a real microsoft.com domain, traditional anti-phishing and URL filtering tools were
Analysis Summary
# Vulnerability: SearchLeak (One-Click Data Exfiltration in Microsoft 365 Copilot)
## CVE Details
- **CVE ID:** CVE-2026-42824
- **CVSS Score:** 6.5 (Medium/Microsoft) | 7.5 (High/NVD)
- **CWE:** CWE-77 (Improper Neutralization of Special Elements used in a Command / Command Injection), CWE-367 (Time-of-check to Time-of-use Race Condition)
## Affected Systems
- **Products:** Microsoft 365 Copilot Enterprise Search
- **Versions:** Cloud-based managed service (All versions prior to June 2026 mitigation)
- **Configurations:** Environments where Enterprise Search is enabled and users have access to sensitive data via Microsoft Graph.
## Vulnerability Description
SearchLeak is a vulnerability chain consisting of three interconnected flaws:
1. **Parameter-to-Prompt Injection:** The `q` parameter in the Copilot Search URL, intended for natural language queries, is interpreted by the AI as direct instructions. An attacker can craft a URL that instructs Copilot to search private data and embed the results into an image tag.
2. **Sanitization Race Condition:** Microsoft’s guardrail wraps output in `<plaintext>` blocks to prevent browser rendering. However, because the browser renders the stream as it arrives, there is a window where the injected `<img>` tag is processed and executes a network request before the closing sanitization tags are applied.
3. **CSP Bypass via SSRF (Server-Side Request Forgery):** To exfiltrate data, attackers bypass the Content Security Policy (CSP) by pointing the image source to a Bing "Search by Image" endpoint. Since `*.bing.com` is allowlisted, the browser allows the request; Bing’s infrastructure then fetches the attacker's URL, encoding stolen data (like email subjects) in the request path and acting as an exfiltration proxy.
## Exploitation
- **Status:** PoC available (Demonstrated by Varonis Threat Labs); not observed in the wild.
- **Complexity:** Medium (Requires crafting a specific multi-stage URL).
- **Attack Vector:** Network (Phishing/Social Engineering via a trusted `microsoft.com` link).
## Impact
- **Confidentiality:** High (Access to emails, MFA codes, password reset links, SharePoint/OneDrive files, and calendar details).
- **Integrity:** None (The attack is focused on data exfiltration).
- **Availability:** None.
## Remediation
### Patches
- **Vendor Mitigation:** Microsoft has applied backend mitigations across the Microsoft 365 environment. Because this is a managed SaaS product, no manual patching is required by tenant administrators.
### Workarounds
- **User Awareness:** Educate users to be cautious of unsolicited links, even those pointing to legitimate `microsoft.com` or `cloud.microsoft` domains.
## Detection
- **Indicators of Compromise:**
- Copilot Search URLs containing encoded HTML, Markdown, or suspicious instructional strings (e.g., "search for," "embed in image") in the `q` parameter.
- Unusual outbound requests to Bing image search endpoints containing long, encoded strings.
- **Detection Methods:** Monitor web proxy logs and Microsoft 365 audit logs for anomalous Copilot activity or highly structured queries initiated via URL parameters.
## References
- **Microsoft Security Response Center:** [https://msrc.microsoft[.]com/update-guide/vulnerability/CVE-2026-42824]
- **Varonis Research:** [https://www.varonis[.]com/blog/searchleak]
- **NVD Entry:** [https://nvd.nist[.]gov/vuln/detail/CVE-2026-42824]