TL;DR

CVE-2026-42824 ("SearchLeak") — Varonis Threat Labs discovered a 3-stage chain in Microsoft 365 Copilot Enterprise Search that lets an attacker send a victim a single crafted link (on a real microsoft.com domain) and silently exfiltrate their emails, calendar events, OneDrive/SharePoint files, MFA codes, and password-reset links. Microsoft patched it on the backend; no user action is required. If your org uses M365 Copilot, the risk is eliminated — but the attack class (parameter-to-prompt injection) is new and will recur.

What happened

Microsoft 365 Copilot Enterprise Search is a feature that lets users query their entire M365 workspace (email, calendar, Teams, SharePoint, OneDrive) via a natural-language Copilot prompt embedded in a URL parameter. Varonis Threat Labs discovered that the q= URL parameter — intended to pre-populate a search query — is processed by Copilot as a trusted user instruction rather than untrusted attacker input.

The 3-stage chain:

Stage 1 — Parameter-to-Prompt Injection (P2PI) The Copilot Enterprise Search URL accepts a q= parameter. When a user clicks a link containing a malicious q= value, Copilot processes the injected text as a high-trust user prompt rather than a search query, instructing it to render attacker-controlled HTML or perform attacker-directed actions. Because the link points to *.microsoft.com, standard anti-phishing tools and URL filters don't flag it.

Stage 2 — HTML Rendering Race Condition Copilot's response rendering is asynchronous. The race condition allowed the injected prompt to insert <img> or similar HTML tags into the rendered output before Content Security Policy (CSP) headers were applied, enabling exfil via an out-of-band request.

Stage 3 — CSP Bypass via Bing SSRF Copilot's CSP allowlists Bing-related Microsoft domains. The attack abused a Bing Server-Side Request Forgery (SSRF) primitive to tunnel outbound data through a Bing-owned host — passing the CSP allowlist and delivering exfiltrated content to attacker-controlled infrastructure.

Data that could be exfiltrated in a single victim click: - Full email content and subjects - Calendar meeting invitations and notes - Multi-factor authentication (MFA) codes - Password-reset links and one-time access codes - OneDrive and SharePoint file contents - Any M365 data the victim account has access to

Attack delivery: The attacker sends the victim a normal-looking link via email, Slack, Teams, or any channel. The link opens Microsoft 365 Copilot Search (a real Microsoft domain). One click = silent exfil. No second click, no credential prompt, no approval dialog.

Disclosure and patch: Varonis Threat Labs discovered and reported SearchLeak. Microsoft classified it as CVE-2026-42824 (CVSS 6.5 per Microsoft; 7.5 per NVD) and patched it on backend infrastructure on or before June 15, 2026. Since Copilot Enterprise is a managed SaaS, customers cannot patch independently — but the fix is already deployed.

Am I affected?

Current exposure: None. Microsoft patched the backend. No customer action is required to close the CVE-2026-42824 attack vector.

Historical exposure check: If you have Copilot Enterprise audit logs for the period before June 15, 2026, look for:

# M365 Purview / Compliance Center audit query (PowerShell)
Search-UnifiedAuditLog -StartDate 2026-01-01 -EndDate 2026-06-15 `
  -Operations "CopilotInteraction" `
  -ResultSize 1000 | Where-Object { $_.AuditData -match 'q=' }

Specifically: any Copilot Enterprise Search sessions initiated from an unusual IP or following a link with an unusually long q= URL parameter containing instruction-style text (rather than a keyword search).

If you are affected

Since the patch is already deployed, "affected" means you may have been a target before June 15, 2026. If audit logs show anomalous Copilot Enterprise Search sessions:

playbooks/rotating-cloud-credentials.md — if MFA codes or tokens may have been captured.

playbooks/if-your-webapp-was-compromised.md — for broader incident response if account takeover is suspected.

Prevention

This attack class — parameter-to-prompt injection (P2PI) — is distinct from classic indirect prompt injection (attacker plants instructions in content the AI reads). In P2PI, the attacker controls a URL parameter that the AI treats as a user instruction. Defenses:

  • Treat Copilot Enterprise Search links like OAuth authorization links — clicking an unexpected microsoft.com/copilot?q=... link from an unverified sender carries the same risk as clicking an unknown OAuth grant. If the link pre-populates a Copilot query you didn't write, be suspicious.
  • Limit Copilot data scope to least-privilege. Users who only need Copilot for email shouldn't have Copilot search enabled over OneDrive, SharePoint, and all Teams conversations. Narrow the scope so that a successful P2PI attack can't reach every cloud resource the account touches.
  • Enable Copilot interaction audit logging. In M365 Purview, enable Copilot audit logs so you can detect anomalous bulk reads triggered from unexpected sources.
  • For AI/Copilot product teams: Never trust URL parameters as user intent. Parameters are untrusted attacker input, regardless of the domain they arrive at. Sanitize q= and similar before passing to LLM context.

See also: prevention/agent-sandboxing.md

Sources