SearchLeak vulnerability allows data theft from Microsoft 365 Copilot Enterprise

Bleeping Computer reports that a critical vulnerability chain dubbed SearchLeak in Microsoft 365 Copilot Enterprise could allow attackers to steal sensitive data from a target's mailbox, OneDrive, or SharePoint account through a specially crafted URL.

The SearchLeak vulnerability, identified as CVE-2026-42824, is a three-stage attack chain developed by Varonis researchers. It combines a parameter-to-prompt injection, an HTML rendering race condition, and a content-security-policy bypass enabled by Bing server-side request forgery (SSRF). The attack begins when a victim clicks a malicious URL. This URL instructs Copilot to search for specific data, such as email content or document titles. During the response streaming, an HTML rendering race condition allows an attacker-controlled image tag to execute, embedding the exfiltrated data within an image URL. This URL is then sent to Bing's "Search by Image" feature, which bypasses CSP protections and fetches the data from the attacker's endpoint. The stolen information is then visible in the attacker's server logs.

Microsoft has addressed this critical vulnerability, and no user action is required for mitigation.

Source: Bleeping Computer