https://www.varonis.com/blog/searchleak
Varonis Threat Labs has disclosed a critical vulnerability chain dubbed SearchLeak that transforms Microsoft 365 Copilot Enterprise Search into a silent data exfiltration tool, capable of extracting emails, security codes, calendar entries, SharePoint documents, and OneDrive files from a victim’s account with nothing more than a single click on an unsuspicious link. The attack chain combines three distinct weaknesses: a relatively new AI-specific vulnerability class known as Parameter-to-Prompt Injection, an HTML rendering race condition, and a server-side request forgery exploit abusing Bing’s image search infrastructure. Microsoft has since remediated the vulnerability under CVE-2026-42824, assigning it a maximum severity rating of critical, though the disclosure underscores the increasingly dangerous intersection between AI assistant capabilities and classic web security weaknesses.
The first stage of the attack exploits the fact that Microsoft 365 Copilot Enterprise Search passes the URL query parameter directly to Copilot’s AI engine as an executable prompt rather than treating it purely as a search string. An attacker crafts a malicious URL instructing Copilot to search the victim’s emails and embed the extracted content within an image URL, meaning the victim need only click the link for Copilot to silently harvest and prepare their data for exfiltration. The second stage exploits a race condition in Microsoft’s output sanitisation process, whereby raw HTML including an embedded image tag is temporarily rendered in the browser’s DOM during Copilot’s streaming response phase before the guardrail wraps the output in code blocks. Because the browser fires the image request the moment it encounters the tag during streaming, the data leaves the victim’s environment before the sanitiser ever activates, rendering the post-processing mitigation entirely ineffective.
The third and final stage resolves the obstacle posed by the Content Security Policy on the Microsoft 365 domain, which restricts which external domains the browser is permitted to load images from and would ordinarily block a direct request to an attacker-controlled server. The researchers discovered that Bing’s image search endpoint, which is explicitly allowlisted in the Content Security Policy given its status as a Microsoft-owned domain, accepts a URL parameter and performs a server-side fetch of that URL from Bing’s own infrastructure to analyse the image. By pointing the injected image tag at Bing’s search-by-image endpoint with the stolen data embedded in the URL path, the attacker effectively transforms Bing into an unwitting exfiltration proxy, with Bing’s backend silently forwarding the request containing the victim’s data to the attacker’s server entirely outside the reach of the browser’s content security controls. Because the malicious link points to a trusted Microsoft domain, traditional anti-phishing and URL protection tools offer no protection against the attack.