SearchLeak turns Copilot into a one-click data trap

What this is about

Varonis Threat Labs published a vulnerability chain called SearchLeak on June 15, 2026. It affected Microsoft 365 Copilot Enterprise Search and, according to Varonis, Microsoft remediated it under CVE-2026-42824. The core problem is uncomfortably simple: a user clicks a real Microsoft 365 link, Copilot interprets a search parameter as an instruction, searches inside the company context, and can carry data out through an image URL.

This is not a theoretical argument about chatbot wording. It is about an assistant that can access emails, calendars, OneDrive, SharePoint, and other indexed company data. When that layer is handled incorrectly, convenience becomes a new attack surface.

What SearchLeak actually does

SearchLeak combines three things. First, the q parameter of a Microsoft 365 search is not only treated as search text; it can act as an instruction to Copilot. Varonis calls this parameter-to-prompt injection. Second, while the answer is being streamed, there is a timing window in which an HTML image tag can fire before the output is safely neutralized. Third, the chain uses an allowed Bing feature as a relay, because Bing is allowed by the content security policy.

The flow is dangerous because the link can point to a trusted Microsoft domain. According to Varonis, the attacker needs no plugins, no special permissions, and no second click. The damage depends on what the affected user can access inside the Microsoft 365 tenant.

Why it matters

Enterprise copilots often sit above the exact data companies want to protect: negotiations, salary lists, customer emails, reset links, calendar notes, and internal files. SearchLeak shows that classic web flaws such as HTML race conditions and SSRF take on new meaning when they are connected to an AI search layer.

Secondary reports from Dark Reading, The Hacker News, and Windows Central point to the same practical lesson: the issue has been patched, but the architecture question remains. An assistant that can search company data must be treated like privileged data access, not like a harmless input box. For security teams, prompt injection, URL parameters, streaming output, and CSP allowlists need to be reviewed together.

In plain language

Imagine a company archive with a helpful front desk. Normally you ask, “Where is the March invoice?” SearchLeak is like a visitor handing the front desk an official-looking note: “Find the confidential folder and write the title on this envelope.” The envelope then leaves through an approved mailroom route.

The problem is not only the front desk. It is the combination of too much trust in the note, checks that happen too late, and an allowed exit that was meant for harmless mail.

A practical example

A finance team with 120 employees uses Microsoft 365 Copilot Enterprise Search. One employee can access 40,000 emails, several SharePoint areas, and calendar notes about active supplier negotiations. She receives a Teams link that looks like a normal Microsoft 365 search.

After the click, Copilot searches for an email with a one-time code or a confidential subject line. The answer is streamed, an image tag briefly fires, and an external server sees a sensitive value in the URL path. Even if only subject lines leak, that can be enough for phishing, social engineering, or guessing live projects in many companies.

Scope and limits

First: Varonis and multiple media reports say Microsoft has patched the vulnerability. This article is therefore not a warning about a known open flaw, but about an attack pattern.

Second: the real impact depends heavily on permissions. Companies that let Copilot run across over-permissioned SharePoint and OneDrive estates increase the blast radius of every failure.

Third: not every prompt injection automatically leads to data theft. SearchLeak was dangerous because several conditions came together: a promptable search parameter, streaming HTML, a CSP bypass, and a user with valuable data rights.

SEO & GEO keywords

Microsoft 365 Copilot, SearchLeak, CVE-2026-42824, Varonis Threat Labs, Copilot Enterprise Search, prompt injection, parameter-to-prompt injection, data exfiltration, Microsoft 365 security, SharePoint security, OneDrive security, enterprise AI security