The flaw, now tracked as CVE-2026-42824, was discovered and reported to Microsoft by security researchers at Varonis, who published a full technical breakdown of the attack chain on Monday, days after Microsoft issued the patch.
The vulnerability, dubbed βSearchLeakβ by Varonis, targeted the Enterprise tier of M365 Copilot. Researchers confirmed that the exploit could retrieve two-factor authentication codes, emails, SharePoint documents, OneDrive files, meeting notes, and any other content the targeted user had access to within the Microsoft 365 environment. No user action beyond clicking a trusted-looking link was required.
How SearchLeak Worked
The attack chain Varonis constructed exploited three separate weaknesses in sequence, each designed to bypass a specific guardrail Microsoft had built into Copilot. The first was a Parameter-to-Prompt Injection, a close relative of prompt injection, but with the malicious instruction embedded in a URL query parameter rather than within an email or document. An attacker could craft a URL pointing to M365 Copilotβs search function and embed a command instructing Copilot to search the userβs emails and extract sensitive content. Copilot complied without hesitation.
The second weakness was a timing flaw in how Copilot renders its responses. Microsoft had built a guardrail that wraps Copilot output in code blocks, preventing raw HTML from being rendered in the browser. However, researchers found this protection only activates after Copilotβs βthinkingβ phase. During the generation phase, Copilot produces raw HTML, including image tags, that the browser briefly renders and fires as live HTTP requests before the guardrail has a chance to intervene.
The third element of the chain addressed Copilotβs content security policy, which restricts the external domains to which it can send requests. Trusted Microsoft properties, including Bing, are on the permitted list. Varonis exploited Bingβs image search functionality as a relay. The request technically originated from a permitted domain before forwarding stolen data to an attacker-controlled server.
Varonis noted that because SearchLeak targeted the Enterprise tier of M365 Copilot, the potential exposure extended well beyond individual inboxes. Anything indexed and accessible to the compromised user across email, SharePoint, OneDrive, and connected business systems was within reach.
Why the Patch Does Not Close the Underlying Problem
Microsoft has confirmed the vulnerabilities exploited by SearchLeak have been fixed. What has not been fixed is the root cause that makes these attacks possible in the first place. Large language models find it difficult to distinguish between instructions provided by legitimate users and malicious instructions embedded in third-party content the model is asked to process. Every guardrail Microsoft and its peers construct addresses a symptom, not the disease.
Artur Bagiryan, Senior Manager of Cybersecurity at PwC Singapore, captured the dynamic clearly in a recent analysis of the SearchLeak chain:
βAn attacker always looks for the shortest and quietest attack path. We shouldnβt look at AI vulnerabilities in isolation as they are the new paths to your most critical assets.β
That framing matters acutely for Microsoft Copilot specifically. Unlike a standalone AI tool operating in an isolated environment, Copilot is architected to work across the full Microsoft 365 suite and take action on behalf of users across an entire organization. That breadth of access is the productβs core value proposition. It is also what makes a successful prompt injection attack against it so consequential.
The concern is compounded by deployment scale. Microsoft 365 Copilot is embedded across some of the worldβs largest enterprise environments. A vulnerability that can silently surface an organizationβs most sensitive data without triggering alerts, and without requiring any technical sophistication from the attacker beyond crafting a URL, represents a meaningful threat at that scale.
What Comes Next
Microsoftβs patch closes the specific attack path Varonis documented. It does not change the underlying architecture that made the attack possible, and researchers are explicit that new exploit chains targeting the same fundamental weakness will continue to emerge.
For enterprise security teams, the immediate implication is that AI tools integrated deeply into productivity environments should be treated as high-value attack surfaces. Access scope, monitoring for anomalous outbound requests, and user awareness all become relevant controls.
More broadly, SearchLeak is a signal that the security industryβs understanding of AI-specific vulnerabilities is still maturing. The techniques used are not exotic. They are combinations of known classes of vulnerability applied to a new environment. As AI tools become more deeply embedded in enterprise infrastructure, the blast radius of a successful exploit will only grow.
