Microsoft 365 Copilot SearchLeak (CVE-2026-42824) — 1-click exfil of emails, MFA codes, and OneDrive files via parameter-to-prompt injection + CSP bypass
TL;DR
CVE-2026-42824 ("SearchLeak") — Varonis Threat Labs discovered a 3-stage chain in Microsoft 365 Copilot Enterprise Search that lets an attacker send a victim a single crafted link (on a real microsoft.com domain) and silently exfiltrate their emails, calendar events, OneDrive/SharePoint files, MFA codes, and password-reset links. Microsoft patched it on the backend; no user action is required. If your org uses M365 Copilot, the risk is eliminated — but the attack class (parameter-to-prompt injection) is new and will recur.
What happened
Microsoft 365 Copilot Enterprise Search is a feature that lets users query their entire M365 workspace (email, calendar, Teams, SharePoint, OneDrive) via a natural-language Copilot prompt embedded in a URL parameter. Varonis Threat Labs discovered that the q= URL parameter — intended to pre-populate a search query — is processed by Copilot as a trusted user instruction rather than untrusted attacker input.
The 3-stage chain:
Stage 1 — Parameter-to-Prompt Injection (P2PI)
The Copilot Enterprise Search URL accepts a q= parameter. When a user clicks a link containing a malicious q= value, Copilot processes the injected text as a high-trust user prompt rather than a search query, instructing it to render attacker-controlled HTML or perform attacker-directed actions. Because the link points to *.microsoft.com, standard anti-phishing tools and URL filters don't flag it.
Stage 2 — HTML Rendering Race Condition
Copilot's response rendering is asynchronous. The race condition allowed the injected prompt to insert <img> or similar HTML tags into the rendered output before Content Security Policy (CSP) headers were applied, enabling exfil via an out-of-band request.
Stage 3 — CSP Bypass via Bing SSRF Copilot's CSP allowlists Bing-related Microsoft domains. The attack abused a Bing Server-Side Request Forgery (SSRF) primitive to tunnel outbound data through a Bing-owned host — passing the CSP allowlist and delivering exfiltrated content to attacker-controlled infrastructure.
Data that could be exfiltrated in a single victim click: - Full email content and subjects - Calendar meeting invitations and notes - Multi-factor authentication (MFA) codes - Password-reset links and one-time access codes - OneDrive and SharePoint file contents - Any M365 data the victim account has access to
Attack delivery: The attacker sends the victim a normal-looking link via email, Slack, Teams, or any channel. The link opens Microsoft 365 Copilot Search (a real Microsoft domain). One click = silent exfil. No second click, no credential prompt, no approval dialog.
Disclosure and patch: Varonis Threat Labs discovered and reported SearchLeak. Microsoft classified it as CVE-2026-42824 (CVSS 6.5 per Microsoft; 7.5 per NVD) and patched it on backend infrastructure on or before June 15, 2026. Since Copilot Enterprise is a managed SaaS, customers cannot patch independently — but the fix is already deployed.
Am I affected?
Current exposure: None. Microsoft patched the backend. No customer action is required to close the CVE-2026-42824 attack vector.
Historical exposure check: If you have Copilot Enterprise audit logs for the period before June 15, 2026, look for:
# M365 Purview / Compliance Center audit query (PowerShell)
Search-UnifiedAuditLog -StartDate 2026-01-01 -EndDate 2026-06-15 `
-Operations "CopilotInteraction" `
-ResultSize 1000 | Where-Object { $_.AuditData -match 'q=' }
Specifically: any Copilot Enterprise Search sessions initiated from an unusual IP or following a link with an unusually long q= URL parameter containing instruction-style text (rather than a keyword search).
If you are affected
Since the patch is already deployed, "affected" means you may have been a target before June 15, 2026. If audit logs show anomalous Copilot Enterprise Search sessions:
→ playbooks/rotating-cloud-credentials.md — if MFA codes or tokens may have been captured.
→ playbooks/if-your-webapp-was-compromised.md — for broader incident response if account takeover is suspected.
Prevention
This attack class — parameter-to-prompt injection (P2PI) — is distinct from classic indirect prompt injection (attacker plants instructions in content the AI reads). In P2PI, the attacker controls a URL parameter that the AI treats as a user instruction. Defenses:
- Treat Copilot Enterprise Search links like OAuth authorization links — clicking an unexpected
microsoft.com/copilot?q=...link from an unverified sender carries the same risk as clicking an unknown OAuth grant. If the link pre-populates a Copilot query you didn't write, be suspicious. - Limit Copilot data scope to least-privilege. Users who only need Copilot for email shouldn't have Copilot search enabled over OneDrive, SharePoint, and all Teams conversations. Narrow the scope so that a successful P2PI attack can't reach every cloud resource the account touches.
- Enable Copilot interaction audit logging. In M365 Purview, enable Copilot audit logs so you can detect anomalous bulk reads triggered from unexpected sources.
- For AI/Copilot product teams: Never trust URL parameters as user intent. Parameters are untrusted attacker input, regardless of the domain they arrive at. Sanitize
q=and similar before passing to LLM context.
See also: prevention/agent-sandboxing.md
Sources
- The Hacker News — One-Click Microsoft 365 Copilot Flaw Could Have Let Attackers Steal Emails, Files, and MFA Codes — primary disclosure; 3-stage chain detail; MFA codes and password-reset links in scope.
- BleepingComputer — New attack turned Microsoft 365 Copilot into 1-click data theft tool — independent corroboration; attack delivery via real MS domain link; no second click required.
- Dark Reading — Copilot 'SearchLeak' Attack Allows 1-Click Data Theft — independent coverage; Varonis attribution confirmed; CSP bypass via Bing SSRF mechanism.
- Microsoft Security Response Center — CVE-2026-42824 — official Microsoft CVE entry; CVSS 6.5; patched on backend.