Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Jul 01, 2026 · 6 min read

Microsoft 365 Copilot Flaw Stole Emails With One Click

Varonis Threat Labs disclosed SearchLeak (CVE-2026-42824) in June 2026 — a chained exploit that turned Microsoft 365 Copilot Enterprise Search into a silent engine for stealing emails, MFA codes, and files from a single victim click.

One link. No malware download. No suspicious attachment. A victim clicks what looks like a standard Microsoft search URL, and within seconds their emails, MFA codes, calendar entries, and OneDrive files are silently on an attacker's server. That was SearchLeak — CVE-2026-42824 — a chained exploit in Microsoft 365 Copilot Enterprise that Varonis Threat Labs researcher Dolev Taler disclosed in June 2026 after Microsoft issued a server side patch.

Key Takeaways

  • CVE-2026-42824, named "SearchLeak," is a critical severity vulnerability in Microsoft 365 Copilot Enterprise Search that Microsoft patched server side in early June 2026.
  • Varonis Threat Labs researcher Dolev Taler discovered the flaw by chaining three distinct weaknesses: a Parameter to Prompt injection, an HTML rendering race condition, and a Bing SSRF that bypassed the Content Security Policy.
  • The attack required only a single victim click on a legitimate looking microsoft.com URL — no malware, no credential phishing, and no alert from traditional anti phishing tools.
  • Data at risk included email content, MFA one time codes, password reset links, calendar events, and OneDrive or SharePoint documents indexed by Copilot Enterprise Search.
  • No user action is required to remediate — the fix was applied on Microsoft's backend, and Varonis reported no confirmed exploitation in the wild.

How Did One Click Steal Your Email?

The attack begins with a URL that anti phishing scanners would happily pass. The target domain is genuinely microsoft.com. What the scanner misses is the q parameter embedded in the link — a Copilot Enterprise Search query parameter that is passed directly to Copilot as an executable prompt.

That first flaw is what Taler calls a Parameter to Prompt (P2P) injection. The attacker crafts a Copilot search URL with a q value containing instructions: search this user's mailbox, extract the content of recent emails containing password reset messages or MFA codes, and embed the extracted text into an image URL as a query parameter. From Copilot's perspective, it is simply following a search instruction from the URL.

The second flaw handles exfiltration: an HTML rendering race condition. Copilot wraps its streamed output in <code> blocks, and sanitization is applied after rendering completes. During the streaming window, however, the raw HTML — including attacker injected <img> tags pointing to an attacker controlled host — temporarily renders in the DOM. The browser fires the HTTP request before sanitization removes the tag. The stolen data rides out in the image request URL.

The third flaw prevents the CSP from blocking that outbound request. Microsoft 365 allowlists *.bing.com in its Content Security Policy — a reasonable choice, since Bing is a Microsoft property. But Bing's image search endpoint accepts an imgurl parameter that it fetches on the server side, relaying the request to any URL. The attacker routes the exfiltration through Bing's image search, which becomes — in Taler's phrase — "an unwitting exfiltration proxy." The CSP sees a whitelisted bing.com domain and lets the request through.

Dark corporate server room with a laptop showing a Microsoft 365 interface and a glowing chain of nodes representing the three stage SearchLeak exploit

What Data Could an Attacker Grab?

Copilot Enterprise Search has broad access to user data by design — that breadth is the feature's value proposition. In a SearchLeak attack, anything Copilot could read, an attacker could steal:

  • Email content, including threads with MFA one time passwords and password reset links
  • Calendar events and meeting details, including attendees, locations, and agendas
  • OneDrive and SharePoint documents indexed by Copilot Enterprise Search
  • Corporate data surfaced through organizational search

From the victim's perspective, nothing happens. Copilot appears to "think" for a moment. There is no error message, no redirect, no file download. The BleepingComputer writeup on SearchLeak notes that Varonis presented this as a proof of concept with no confirmed exploitation in the wild — but the absence of telltale indicators makes wild exploitation nearly impossible to detect retroactively.

Why Is This Pattern Repeating?

SearchLeak is not the first prompt injection attack to target Microsoft 365 Copilot's access to your inbox. Before it, Varonis found a "Reprompt" vulnerability in Copilot Personal using a similar technique of smuggling instructions into content the assistant would later read.

The pattern is structural, not incidental. Enterprise AI assistants are designed to read everything — email, documents, calendars, chat history — and execute instructions written in natural language. Prompt injection exploits the gap between "read this" and "execute this": an attacker's text, if it reaches the model's context window, can issue instructions with the same weight as the user's. Each new Copilot feature surface is a potential new injection vector. Microsoft's Cross Prompt Injection Attempt classifier is meant to catch this class of attack, but SearchLeak reached its goal by chaining flaws that individually looked harmless.

As Taler summarized: "SearchLeak is not a single flaw; it is a chained exploit that weaponizes Microsoft 365 Copilot Enterprise Search as a silent data exfiltration engine."

Why Should Email Users Care?

The mechanism matters beyond the Copilot context. SearchLeak targeted email content specifically because email is where the highest value secrets live: password resets, MFA codes, contract attachments, customer data. Copilot's inbox access — its central selling point — is also what makes it an attractive exfiltration target. Any AI assistant granted broad inbox read permissions operates on the same threat model.

This is also a useful reminder that email inboxes face threats on multiple fronts. The same inbox that SearchLeak could silently search is also constantly sending telemetry to marketing servers via tracking pixels — a separate, invisible data flow that operates without any vulnerability at all, just by design. Two different threat surfaces, one inbox. For broader context on how AI is reshaping enterprise email threats, the Five Eyes AI cybersecurity warning from June 2026 is worth reading alongside this disclosure.

What Should Microsoft 365 Users Do?

Microsoft's server side patch means no immediate action is required for CVE-2026-42824. But SearchLeak surfaces a set of questions every enterprise should revisit:

  1. Audit Copilot permission scope. Does your Copilot deployment need access to every mailbox, SharePoint site, and OneDrive folder? Restricting scope to the minimum required reduces the blast radius of any future prompt injection.
  2. Treat internal Copilot links with the same scrutiny as external ones. SearchLeak's delivery vector was a link to a real microsoft.com domain. A URL's domain alone is not a sufficient trust signal when that URL can carry executable instructions in its parameters.
  3. Monitor for anomalous Copilot activity. Unusual search patterns, large volumes of mailbox queries, or outbound image requests to Bing with long query strings are indicators worth alerting on, even after the patch, since the same pattern could be reused via a different chain.
  4. Stay current on Copilot security advisories. Given the pace of new surface area and the recurring pattern of prompt injection bypasses, Copilot advisories deserve a dedicated review cadence — separate from standard Patch Tuesday prioritization. For a parallel email based threat from the same period, see our NarwhalRAT breakdown.

SearchLeak will not be the last exploit of this class. The architecture that makes Copilot powerful — deep, permissioned access to your entire digital workspace — is the same architecture that makes prompt injection so valuable to attackers. The patch closed this specific chain. The structural tension remains open.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.