- Varonis exposed “SearchLeak” that chained three flaws in Microsoft 365 Copilot to enable one-click data theft
- Attack leveraged prompt injection, HTML race mode and Bing SSRF to exfiltrate inbox, OneDrive and SharePoint data
- Microsoft patched CVE-2026-42824 earlier this month and rated it 10/10 critical
Experts have revealed a way to turn Microsoft 365 Copilot into a one-click data theft tool capable of exfiltrating sensitive information from people’s inboxes, OneDrive and SharePoint instances.
The method was recently patched by Microsoft after being developed by security researchers Varonis, who dubbed the method SearchLeak and explained that it works by chaining together three vulnerabilities.
Individually, these three can’t do much damage, but together they’re strong enough to warrant a patch.
Exfiltration proxy
The three vulnerabilities linked are a parameter-to-prompt injection, an HTML rendering race condition, and a content security policy (CSP) bypass enabled by Bing server-side request forgery (SSRF).
The attack starts when a victim clicks on a specially crafted Microsoft 365 Copilot Enterprise Search link. The URL contains hidden instructions in the search query parameter that tell Copilot to search the victim’s emails, OneDrive files, SharePoint documents, or calendar data and include the results in an image URL.
As Copilot generates its response, a race condition causes the browser to briefly render attacker-controlled HTML before Microsoft’s sanitization process is complete. This makes it possible to perform a snapshot containing the stolen data.
Finally, the image request is routed through Bing’s “Search by Image” feature, and due to the SSRF flaw, Bing can retrieve the attacker-controlled URL on behalf of the victim, bypassing the content security policy’s protections. Thus, the sensitive data embedded in the URL is transferred to the attacker’s server, where they can recover it from web request logs
“Bing becomes an ignorant exfiltration proxy,” the researchers explained. “A classic SSRF hiding in plain sight behind a CSP permission list.”
Varonis says that all they see on the victim’s side is a normal Copilot search session, and emphasized that AI has transformed simple, easily addressed vulnerabilities, such as SSRF and HTML injection race conditions, into potent vulnerabilities.
Earlier this month, Microsoft fixed the bug, assigned it a maximum severity rating (10/10 critical) and tracked it as CVE-2026-42824.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
