Varonis Threat Labs has disclosed SearchLeak, a patched vulnerability chain in Microsoft 365 Copilot Enterprise Search that could have let an attacker steal workplace data after a victim clicked a crafted Microsoft link. The issue, tracked by Microsoft as CVE-2026-42824, was remediated before the public write-up, and public reporting has not pointed to known exploitation in the wild.
The important part is not just that Copilot had a bug. Varonis described a three-stage chain that joins an AI-specific prompt-injection problem with older web security failure modes: a rendering race condition and a server-side request forgery path through Bing image search. Together, those pieces could turn Copilot’s ability to search a user’s Microsoft 365 data into an exfiltration route.
How the SearchLeak chain worked
The attack started with the q parameter in a Microsoft 365 Copilot Search URL. That parameter is supposed to carry a search query, but Varonis found that Copilot Enterprise Search could interpret the value as instructions. In the researchers’ proof of concept, a link could tell Copilot to search the user’s mailbox or indexed workplace data and place the result into an image URL.
That first step is what Varonis calls Parameter-to-Prompt injection. It is a small but consequential shift from traditional search security: the attacker does not need to upload malware or trick the user into typing a prompt. The user clicks a link on a legitimate Microsoft domain, and the AI layer treats the embedded query as a command.
The second step depended on timing. Copilot’s output guardrail was intended to wrap risky markup so the browser would treat it as text. During streaming, however, the browser could briefly render an injected <img> tag before the final sanitized output appeared. If that image tag fired an HTTP request during the stream, the sensitive value encoded into the URL could leave before the guardrail had finished its work.
The third step used Bing as the route around the browser’s Content Security Policy. The Microsoft 365 page allowed image loads from Bing, and Bing’s search-by-image endpoint could fetch an image URL from a server-side Microsoft system. By placing the stolen value inside an attacker-controlled image URL that Bing would fetch, the attacker could make the data appear in server logs without the victim authenticating to the attacker’s site.
Why Copilot search changes the blast radius
SearchLeak matters because Microsoft 365 Copilot Enterprise Search is not just a chatbot window. It sits on top of workplace data that can include Outlook messages, calendar entries, SharePoint documents, OneDrive files, meeting notes, and other material available through Microsoft Graph permissions. If a user can search it, Copilot may be able to surface it.
That makes the victim’s normal access the boundary of the attack. A compromised junior account might expose only limited files. A finance, legal, executive, HR, or IT account could expose acquisition plans, salary spreadsheets, reset links, one-time passcodes, internal incident notes, or confidential customer information. The attacker does not need broad tenant privileges if the user who clicks the link already has valuable access.
This is also why the issue is different from a conventional phishing page. A familiar-looking Microsoft link is harder for URL filters and users to judge, and the data theft happens through a chain of trusted components: Copilot Search, the browser, Microsoft’s own image-search infrastructure, and the user’s existing permissions. The weak point is the way those systems compose, not a single obviously malicious destination.
What defenders can still learn from a patched bug
Microsoft’s server-side remediation means customers do not have a software package to install for this specific issue. The lesson for security teams is broader: enterprise AI search needs to be treated as an access path, a rendering surface, and an exfiltration surface at the same time.
Administrators should review how much sensitive data Copilot can index, especially in broad SharePoint sites, overshared OneDrive folders, group mailboxes, and executive or finance workspaces. Least-privilege cleanup is not only a governance chore; it reduces the damage if a future AI-search flaw exposes whatever a user can reach.
Detection should also look for suspicious Copilot Search URLs, especially long or encoded q parameters that contain instructions, HTML fragments, image tags, or language about embedding data into URLs. Varonis also recommends treating allowlisted domains that perform server-side fetches on user-supplied URLs as possible exfiltration channels, because a trusted domain can become a relay if it retrieves attacker-controlled resources.
For product teams, SearchLeak is a warning about streaming AI interfaces. Sanitizing a final answer is not enough if the browser, plugin frame, or app shell can act on partial output while the model is still generating. AI output needs to be untrusted at render time, not only after post-processing finishes.
A pattern is forming around enterprise AI
SearchLeak follows earlier Copilot-related research, including Varonis’ Reprompt work against consumer Copilot and the separate EchoLeak disclosure in Microsoft 365 Copilot. The details differ, but the pattern is consistent: AI assistants are creating new ways to reach old classes of bugs because they can interpret untrusted text as instructions, search sensitive data, and render or route outputs through complex web services.
That does not make enterprise copilots unusable. It does mean they need controls closer to the data layer than the prompt box. Access reviews, sensitive-data classification, search-scoping, audit logging, output rendering safeguards, and outbound request monitoring are becoming part of Copilot security, not optional add-ons after deployment.
The practical takeaway for Microsoft 365 customers is straightforward: the specific SearchLeak path is patched, but the risk category is alive. AI search systems inherit the permissions, data sprawl, and browser security assumptions around them. When those pieces are loosely governed, one trusted-looking link can become much more than a prompt.
