---
id: 2026-06-copilot-searchleak-cve-2026-42824
title: "Microsoft 365 Copilot SearchLeak (CVE-2026-42824) — 1-click exfil of emails, MFA codes, and OneDrive files via parameter-to-prompt injection + CSP bypass"
date_disclosed: 2026-06-15
last_updated: 2026-06-24
severity: high
status: patched
ecosystems: [microsoft-365, saas, ai-agents]
tools_affected: [microsoft-365-copilot, copilot-enterprise-search]
tags: [cve, prompt-injection, parameter-to-prompt-injection, data-exfil, one-click-attack, microsoft, copilot, bing-ssrf, csp-bypass]
---

## TL;DR

**CVE-2026-42824 ("SearchLeak")** — Varonis Threat Labs discovered a 3-stage chain in **Microsoft 365 Copilot Enterprise Search** that lets an attacker send a victim a single crafted link (on a real `microsoft.com` domain) and silently exfiltrate their emails, calendar events, OneDrive/SharePoint files, MFA codes, and password-reset links. Microsoft patched it on the backend; no user action is required. If your org uses M365 Copilot, the risk is eliminated — but the **attack class** (parameter-to-prompt injection) is new and will recur.

## What happened

**Microsoft 365 Copilot Enterprise Search** is a feature that lets users query their entire M365 workspace (email, calendar, Teams, SharePoint, OneDrive) via a natural-language Copilot prompt embedded in a URL parameter. Varonis Threat Labs discovered that the `q=` URL parameter — intended to pre-populate a search query — is processed by Copilot as a **trusted user instruction** rather than untrusted attacker input.

**The 3-stage chain:**

**Stage 1 — Parameter-to-Prompt Injection (P2PI)**
The Copilot Enterprise Search URL accepts a `q=` parameter. When a user clicks a link containing a malicious `q=` value, Copilot processes the injected text as a high-trust user prompt rather than a search query, instructing it to render attacker-controlled HTML or perform attacker-directed actions. Because the link points to `*.microsoft.com`, standard anti-phishing tools and URL filters don't flag it.

**Stage 2 — HTML Rendering Race Condition**
Copilot's response rendering is asynchronous. The race condition allowed the injected prompt to insert `<img>` or similar HTML tags into the rendered output before Content Security Policy (CSP) headers were applied, enabling exfil via an out-of-band request.

**Stage 3 — CSP Bypass via Bing SSRF**
Copilot's CSP allowlists Bing-related Microsoft domains. The attack abused a Bing Server-Side Request Forgery (SSRF) primitive to tunnel outbound data through a Bing-owned host — passing the CSP allowlist and delivering exfiltrated content to attacker-controlled infrastructure.

**Data that could be exfiltrated in a single victim click:**
- Full email content and subjects
- Calendar meeting invitations and notes
- Multi-factor authentication (MFA) codes
- Password-reset links and one-time access codes
- OneDrive and SharePoint file contents
- Any M365 data the victim account has access to

**Attack delivery:** The attacker sends the victim a normal-looking link via email, Slack, Teams, or any channel. The link opens Microsoft 365 Copilot Search (a real Microsoft domain). One click = silent exfil. No second click, no credential prompt, no approval dialog.

**Disclosure and patch:** Varonis Threat Labs discovered and reported SearchLeak. Microsoft classified it as CVE-2026-42824 (CVSS 6.5 per Microsoft; 7.5 per NVD) and patched it on backend infrastructure on or before June 15, 2026. Since Copilot Enterprise is a managed SaaS, customers cannot patch independently — but the fix is already deployed.

## Am I affected?

**Current exposure: None.** Microsoft patched the backend. No customer action is required to close the CVE-2026-42824 attack vector.

**Historical exposure check:** If you have Copilot Enterprise audit logs for the period before June 15, 2026, look for:

```
# M365 Purview / Compliance Center audit query (PowerShell)
Search-UnifiedAuditLog -StartDate 2026-01-01 -EndDate 2026-06-15 `
  -Operations "CopilotInteraction" `
  -ResultSize 1000 | Where-Object { $_.AuditData -match 'q=' }
```

Specifically: any Copilot Enterprise Search sessions initiated from an unusual IP or following a link with an unusually long `q=` URL parameter containing instruction-style text (rather than a keyword search).

## If you are affected

Since the patch is already deployed, "affected" means you may have been a target before June 15, 2026. If audit logs show anomalous Copilot Enterprise Search sessions:

→ [playbooks/rotating-cloud-credentials.md](../playbooks/rotating-cloud-credentials.md) — if MFA codes or tokens may have been captured.

→ [playbooks/if-your-webapp-was-compromised.md](../playbooks/if-your-webapp-was-compromised.md) — for broader incident response if account takeover is suspected.

## Prevention

This attack class — **parameter-to-prompt injection (P2PI)** — is distinct from classic indirect prompt injection (attacker plants instructions in content the AI reads). In P2PI, the attacker controls a URL parameter that the AI treats as a user instruction. Defenses:

- **Treat Copilot Enterprise Search links like OAuth authorization links** — clicking an unexpected `microsoft.com/copilot?q=...` link from an unverified sender carries the same risk as clicking an unknown OAuth grant. If the link pre-populates a Copilot query you didn't write, be suspicious.
- **Limit Copilot data scope to least-privilege.** Users who only need Copilot for email shouldn't have Copilot search enabled over OneDrive, SharePoint, and all Teams conversations. Narrow the scope so that a successful P2PI attack can't reach every cloud resource the account touches.
- **Enable Copilot interaction audit logging.** In M365 Purview, enable Copilot audit logs so you can detect anomalous bulk reads triggered from unexpected sources.
- **For AI/Copilot product teams:** Never trust URL parameters as user intent. Parameters are untrusted attacker input, regardless of the domain they arrive at. Sanitize `q=` and similar before passing to LLM context.

See also: [prevention/agent-sandboxing.md](../prevention/agent-sandboxing.md)

## Sources

- [The Hacker News — One-Click Microsoft 365 Copilot Flaw Could Have Let Attackers Steal Emails, Files, and MFA Codes](https://thehackernews.com/2026/06/one-click-microsoft-365-copilot-flaw.html) — primary disclosure; 3-stage chain detail; MFA codes and password-reset links in scope.
- [BleepingComputer — New attack turned Microsoft 365 Copilot into 1-click data theft tool](https://www.bleepingcomputer.com/news/security/new-attack-turned-microsoft-365-copilot-into-1-click-data-theft-tool/) — independent corroboration; attack delivery via real MS domain link; no second click required.
- [Dark Reading — Copilot 'SearchLeak' Attack Allows 1-Click Data Theft](https://www.darkreading.com/application-security/copilot-searchleak-attack-1-click-data-theft) — independent coverage; Varonis attribution confirmed; CSP bypass via Bing SSRF mechanism.
- [Microsoft Security Response Center — CVE-2026-42824](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42824) — official Microsoft CVE entry; CVSS 6.5; patched on backend.
