TL;DR
- Patched Flaw: Microsoft patched CVE-2026-42824 after Varonis demonstrated the SearchLeak proof of concept.
- Attack Chain: The chain used a Microsoft 365 search URL, Copilot retrieval, raw HTML rendering, and Bing image fetches.
- Data Exposure: SearchLeak could reach two-factor codes, emails, meeting details, SharePoint files, and OneDrive content accessible to a user.
- Admin Control: Security teams should limit AI-accessible stores, while public evidence showed no active exploitation at disclosure.
Microsoft has patched CVE-2026-42824 after security researchers at Varonis Threat Labs demonstrated a SearchLeak proof-of-concept against its enterprise search assistant. The current chain could push that assistant toward two-factor authentication codes and other business data the signed-in user could already access.
SearchLeak targeted Microsoft 365 Copilot Enterprise Search rather than consumer Copilot. It could surface email content, access codes, passwords, calendar events, meeting details, SharePoint documents, OneDrive files, and other indexed business data. At disclosure, the case remained a proof of concept rather than a confirmed breach, with no active exploitation identified in the public advisory.
Practical exposure comes from the permission model. Inherited Microsoft 365 access defines what Copilot may retrieve, but that scope can still include mailbox data, meeting notes, shared files, and authentication messages. Tenant scoping and routine access reviews become part of the mitigation work because the assistant’s search layer inherits business-data boundaries rather than creating a new one.
How SearchLeak Reached Copilot Data
A crafted Microsoft 365 search URL could turn the q parameter, the search query field in the URL, into instructions for Copilot. After a target clicked the link, Copilot could treat those instructions as part of the search task and retrieve mailbox or organizational content available to that user. The search URL looked like a normal Microsoft 365 entry point while carrying model instructions inside the query field.
SearchLeak could retrieve 2FA codes and sensitive data from emails accessible to Copilot. Legitimate access created the risk: if the user’s account could see a code, meeting note, or document, the attack tried to make Copilot find it. Security researchers at Varonis Threat Labs emphasized that limited attacker instructions became useful when the signed-in user reached important information.
During response streaming, Copilot could briefly render raw HTML in the browser before the final answer was wrapped in code blocks. Brief rendering mattered because an image request could leave before the guardrail changed the output format. SearchLeak then used Bing image search as a Microsoft-controlled relay toward an attacker-chosen domain, turning a trusted image-fetch path into the outbound leg of the attack chain.
“Bing becomes an unwitting exfiltration proxy. A classic SSRF, hiding in plain sight behind a CSP allowlist entry.”
Varonis researchers
Server-side request forgery means the server performs the fetch, while Content Security Policy is the browser rule that defines permitted content sources. In plain terms, SearchLeak did not need Copilot to send an email or submit a form; it needed a brief rendering window and a trusted image-fetch path.
Patch Status, Prior Copilot Incidents, and Mitigation
Microsoft’s backend fix means customers were not asked to take direct patching action for the specific SearchLeak issue. Assistants that combine external input, internal data retrieval, and rendered output need controls at each boundary, not only at the final answer. Prompt isolation, output sanitization, and tighter indexing scope all address different parts of the same chain.
Reprompt used the q URL parameter in an earlier Copilot attack-family case, which makes SearchLeak’s URL-field abuse familiar rather than isolated. EchoLeak, a 2025 Microsoft 365 Copilot flaw, provides a separate data-exfiltration precedent through crafted email content. Microsoft’s prior warning on cross-prompt injection risks fits the same control problem: untrusted instructions can collide with trusted enterprise data or actions.
SearchLeak’s Copilot attack chain sits in a broader class of enterprise-assistant risks. Enterprise assistants can combine outside input, internal data access, rendered output, and action-capable workflows in one place. Operational mitigation centers on reducing unnecessary AI-accessible data and treating assistants as part of the attack surface.
Unnecessary exposure of sensitive enterprise data could have widened SearchLeak’s reach. Encoded Copilot Enterprise Search query parameters and Bing image endpoint traffic also give security teams concrete signals to monitor. Mailboxes, SharePoint sites, OneDrive files, and meeting notes that remain searchable by the assistant can feed a SearchLeak-style prompt, while each removed store reduces that queryable surface.
