A Single Click Turned Copilot Into an Exfiltration Tool
Varonis Threat Labs disclosed on June 15 a vulnerability chain it calls SearchLeak, which Microsoft has now patched under CVE-2026-42824 with a critical severity rating. The flaw turned Microsoft 365 Copilot Enterprise Search into a one-click data exfiltration weapon. A victim only had to click a link pointing at microsoft.com, and Copilot would quietly search their mailbox, calendar, and indexed organizational content, then ship the results to an attacker-controlled server. From the user's point of view, nothing happened beyond Copilot appearing to think for a moment.
The detail that should worry every CISO is the trust boundary the attack abused. As Varonis put it, the malicious link points to a trusted domain, microsoft.com, so traditional anti-phishing and URL protection tools do not block or filter it. The entire premise of layered email defense is that you can score and quarantine suspicious links. SearchLeak sidesteps that premise by riding inside the vendor's own first-party surface, where every reputation system on the market gives it a pass. That is the structural problem AI assistants keep surfacing: the assistant has more access than the user, and it acts on instructions it cannot reliably distinguish from data.
How the Three-Stage Chain Worked
SearchLeak stitched together three distinct weaknesses. The first was a parameter-to-prompt injection: the q parameter in the Copilot Enterprise Search URL was passed directly to Copilot as an executable prompt rather than a benign search string. That alone let an attacker plant instructions. The second was an HTML rendering race condition, in which an embedded img tag fired before Copilot's output sanitizer wrapped the response in safe code blocks, opening a window during the streaming phase where attacker markup actually rendered in the victim's session.
The third stage solved the hard part, getting data out past Microsoft's Content Security Policy. Varonis abused Bing's image-search endpoint, which is allowlisted in the CSP, to perform a server-side request forgery. Bing fetched an attacker-controlled URL on the server side, and the stolen data rode out in the request path. The exfiltrated material in the proof of concept included email subjects and bodies, multifactor authentication codes, meeting details, SharePoint documents, and OneDrive files. Each individual bug looks modest. Chained, they produced silent, zero-interaction theft of an organization's most sensitive content.
Why Server-Side Patching Is Not the End of the Story
Microsoft fixed SearchLeak on its backend, so customers do not need to take action and there is no client update to deploy. Varonis was careful to note it demonstrated a proof of concept and did not observe exploitation in the wild. That is genuinely good news, and it reflects the one upside of cloud-delivered AI: the vendor can remediate every tenant at once without waiting for patch cycles. For a vulnerability this severe, centralized control is exactly what you want.
We would caution executives against reading the quiet fix as the end of the matter. SearchLeak is the latest in a steady run of prompt-injection and exfiltration findings against enterprise AI assistants, and the underlying pattern is not patched away by closing one img-tag race or one Bing SSRF. The assistant still ingests untrusted text, still holds broad data access, and still has rendering and outbound-fetch surfaces that researchers will keep probing. Each disclosure is one researcher's variant of the same class of bug, and attackers are studying the same playbook.
The Governance Gap This Exposes for CIOs
The harder question for technology leaders is one of visibility and control rather than this specific CVE. When a Copilot tenant can be steered to read a user's mailbox and SharePoint corpus through a crafted link, the blast radius is defined by how much you have indexed and how loosely you have scoped permissions. Organizations that pushed Copilot broadly without first tightening access, the classic oversharing problem Varonis has documented for years, would have handed SearchLeak a far larger pile of data to vacuum up. The vulnerability is Microsoft's, but the exposure is yours.
This is where the editorial line matters. AI assistants are being deployed at a pace that outruns the data-governance work that should precede them. SearchLeak is a reminder that least-privilege, careful indexing scope, and continuous monitoring of what the assistant can actually reach are not optional hardening tasks to revisit later. They are the difference between a contained incident and a tenant-wide breach when the next chain lands. Treat your Copilot deployment as a privileged identity, because that is exactly what an attacker who reaches it will treat it as.
What Enterprises Should Do Now
Even with the server-side fix in place, there are concrete steps worth taking. Review the scope of content Copilot is allowed to index and search, and pull back any oversharing that grants it access beyond what each user legitimately needs. Audit your sensitivity labeling and data loss prevention coverage so that the most damaging material, credentials, MFA codes, and regulated records, is not sitting in the easiest place for an assistant to surface. Where possible, enable logging that captures Copilot's search and retrieval actions, so a future incident leaves a trail you can actually investigate.
Finally, fold AI assistants into your threat model as a first-class attack surface rather than a productivity feature bolted onto the side. Prompt injection, rendering races, and allowlist abuse are now recurring categories, and they will not stay confined to Microsoft's stack. The vendors will keep patching, and we should expect them to. But the durable defense is architectural: scope the data, watch the access, and assume that any AI surface reachable by a link is a surface an attacker will eventually learn to drive. Build the muscle now, while the disclosures are still proofs of concept rather than active campaigns, because the gap between a researcher demonstrating a chain and a criminal weaponizing it has been shrinking across every category of software, and there is no reason to expect AI assistants to be the exception that buys you time.
