SearchLeak vulnerability allows data theft from Microsoft 365 Copilot Enterprise - (CVE-2026-42824)
June 24th, 2026
High
.jpg)
Our Cyber Threat Intelligence Unit is tracking a high-severity vulnerability chain, CVE-2026-42824, affecting Microsoft 365 Copilot Enterprise Search. It allows an unauthorized attacker to exfiltrate sensitive organizational data, including emails, calendar details, MFA codes, and indexed documents, through a single click on a crafted link pointing to a legitimate Microsoft domain. The attack technique, named SearchLeak, chains three weaknesses: a parameter-to-prompt (P2P) injection, an HTML rendering race condition, and a Content Security Policy bypass via Bing server-side request forgery (SSRF). No in-the-wild exploitation has been observed; this was demonstrated as a researcher's proof of concept by Varonis Threat Labs, and no weaponized exploit code has been publicly released. Microsoft has remediated the vulnerability on its backend as a managed service, and no tenant-side patching action is required.
Technical Details
Threat Type: Command Injection (CWE-77) with information disclosure over a network
CVE: CVE-2026-42824
Severity: High (NVD CVSS 3.1: 7.5)
Affected Component: Microsoft 365 Copilot Enterprise Search (M365 Copilot). Specifically, the q URL parameter in the Copilot Enterprise Search interface at m365.cloud.microsoft
Affected Product: Microsoft 365 Copilot Enterprise (exclusively hosted service; no on-premises component)
Attack Chain:
Initial Access: Attacker delivers a crafted URL pointing to a trusted m365.cloud.microsoft domain. Standard anti-phishing controls do not flag it. Delivery can occur via email, Teams, Slack, or any messaging channel.
P2P Injection: The q URL parameter passes attacker-controlled instructions directly to Copilot. Copilot executes them, searches the victim's mailbox, and formats extracted data into an image URL.
HTML Rendering Race Condition: Copilot's sanitizer wraps output in <code> blocks, but only after generation completes. During streaming, the browser renders raw HTML and fires the attacker's <img> tag before sanitization runs.
CSP Bypass via Bing SSRF: The attacker points the <img> tag to Bing's image search endpoint, which is CSP-allowlisted. Bing performs a server-side fetch to the attacker's URL, bypassing the browser-level CSP. Stolen data is embedded in the request path and logged server-side.
Post-Exploitation: The victim sees only a brief "thinking" state; the response may appear unusual. No indication of data exfiltration is generated. The attacker never authenticates to the victim's environment.
Impact
Exfiltration of email content including OTPs, MFA codes, and password-reset links, creating an immediate account takeover risk.
Exposure of calendar invites and meeting notes, usable for social engineering or corporate espionage.
Access to SharePoint and OneDrive files indexed by Copilot, including salary data, earnings reports, and acquisition plans.
The attack produces no indication of data exfiltration to the victim; stolen data may be acted upon before detection.
The attacker inherits the victim's full Microsoft Graph permissions without authenticating.
Detection Method
Copilot Search URL parameters: Alert on requests to m365.cloud.microsoft/search/ where the q parameter contains HTML tags or encoded characters (%3C, %3E, %22).
Bing image endpoint traffic: Flag outbound requests to bing.com/images/searchbyimage from Copilot sessions carrying a path segment matching /<exfiltrated_content>/img.png.
Exfiltration path patterns: Monitor WAF and server logs for GET requests matching /<exfiltrated_content>/img.png — a single path segment containing underscore-delimited stolen data (e.g., /Your_Security_Code_847291/img.png) — indicating successful data embedding in the exfiltration URL.
Purview audit logs: Enable Copilot activity logging in Microsoft Purview. Review for searches without user-initiated queries followed by outbound image requests.
SIEM correlation: Flag Copilot sessions that access mailbox, calendar, and files in rapid succession without a corresponding user query.
CSP allowlist review: Any allowlisted domain capable of server-side fetches on user-supplied URLs is a potential exfiltration channel.
Indicators of Compromise
There are no indicators of compromises observed.
Recommendations
Verify remediation status: Confirm your tenant reflects Microsoft's June 4, 2026, backend fix and no configuration rollback has occurred.
Restrict Copilot indexing scope: Limit what content Copilot Enterprise Search can index to reduce blast radius from future prompt injection attempts.
Monitor Copilot Search URL parameters: Alert on HTML tags or prompt-style instructions appearing in the q parameter via proxy or SIEM.
Audit Purview logs: Review Copilot activity for unprompted searches followed by outbound image requests to Bing endpoints.
User awareness: Advise users to treat links to m365.cloud.microsoft with complex or encoded q parameters with caution, even when the domain appears legitimate.
Review CSP allowlists: Audit all externally allowlisted domains for server-side fetch capability on user-supplied URLs as a standing risk review, beyond this CVE.
Extend SIEM detection to AI tools: Build detection rules for encoded payloads in URL parameters across all AI-integrated productivity tools, not only M365 Copilot.
Conclusion
CVE-2026-42824 demonstrates that AI integration in enterprise productivity platforms creates fundamentally new attack surfaces by making older, well-understood vulnerability classes newly exploitable at scale. Organizations running Microsoft 365 Copilot Enterprise should prioritize restricting Copilot's data access scope, implementing detection coverage for anomalous Copilot Search activity, and treating AI-delivered links with the same scrutiny applied to conventional phishing.