WASHINGTON – The employee never typed a password. Never approved a permission request. All they did was click a link — one that pointed to a real Microsoft domain, the kind of address every corporate security filter learns to trust. Within seconds, Microsoft 365 Copilot had quietly scanned their mailbox, extracted email subjects and one-time authentication codes, and routed that data out through Bing’s own servers. From the victim’s screen, Copilot appeared to simply be thinking.
This is SearchLeak, a critical vulnerability chain documented by researchers at Varonis Threat Labs and disclosed Monday alongside Microsoft’s patch. It is the third time Varonis has demonstrated that Microsoft’s enterprise AI assistant can be weaponized against the very workers it is meant to help — and the pattern is becoming hard to dismiss as coincidence.
Microsoft assigned the flaw CVE-2026-42824 and rated it critical. The National Vulnerability Database assigned a CVSS severity score of 7.5; Microsoft’s own scoring came in at 6.5. That gap — two authoritative bodies looking at the same vulnerability and reaching different conclusions — captures something important about the moment enterprise AI security finds itself in. The rules for measuring risk have not caught up to the technology.
The SearchLeak technique chains three distinct flaws, none of which would be especially dangerous on its own. The first is what Varonis calls a Parameter-to-Prompt injection: Microsoft 365 Copilot Enterprise Search accepts natural-language queries through the “q” parameter in its URL. Copilot reads whatever is placed in that parameter as an instruction — not merely a search string. An attacker can pre-fill that parameter with a command telling Copilot to search the victim’s inbox, extract specific content, and embed it inside an image URL. The victim contributes nothing beyond a single click. As Varonis researchers described it, the attacker crafts a URL that tells Copilot to search the user’s emails, extract the title, and embed it in an image URL — and Copilot takes care of the rest.
The second flaw is a race condition in how the browser renders Copilot’s streaming response. Microsoft’s sanitization process wraps Copilot output in code blocks to neutralize HTML markup, but that wrapping happens only after the full response is generated. During the fraction of a second when the browser draws the streaming response before sanitization completes, an attacker-controlled image tag executes and fires an outbound network request. By the time security filters run, the request has already left.
The third flaw converts that outbound request into an exfiltration channel. Microsoft 365 Copilot’s content security policy allows connections to bing.com — a natural trust relationship given that Bing powers much of Copilot’s underlying search. Bing’s “Search by Image” feature accepts an image URL and fetches it server-side. An attacker routes the request through that endpoint, embedding the stolen data in the URL path. Because the retrieval originates from Bing’s infrastructure rather than the victim’s browser, the content security policy that would normally block requests to unknown domains does not apply. Bing becomes, as Varonis put it, an unwitting exfiltration proxy.
The data within reach is not trivial. Microsoft 365 Copilot Enterprise Search can query everything the signed-in user can access through their Microsoft Graph permissions: emails, calendar events, meeting notes, and any files indexed in SharePoint or OneDrive. Among the most immediately dangerous items in a corporate inbox are time-sensitive one-time codes, multi-factor authentication tokens, and password-reset links — each often valid for only a few minutes, but long enough for an automated script reading attacker server logs to act.
What makes SearchLeak structurally significant is not that it broke new ground — it is that it repeated ground that was supposedly already closed. In January, Varonis researcher Dolev Taler disclosed Reprompt, a one-click attack against Copilot Personal that used the same Parameter-to-Prompt injection approach to exfiltrate data persistently, even after the Copilot session was closed. Copilot Enterprise, with its additional audit controls and data loss prevention layers, was supposed to be hardened against exactly that kind of technique. It was not. And before Reprompt, there was EchoLeak — CVE-2025-32711 — a zero-click Copilot data-leak vulnerability disclosed by Aim Security in 2025 that also exploited SSRF and sanitizer race conditions.
Three exploits. Three backend patches. The same architectural exposure each time.
The deeper problem is one of governance architecture. Microsoft has repeatedly described Copilot as respecting existing Microsoft 365 permissions — and that is accurate as far as it goes. Copilot can only reach data the signed-in user is authorized to see. But the SearchLeak episode illustrates what “permission-respecting” does not guarantee: that the AI assistant will refuse adversarial instructions delivered through a crafted URL, or that its sanitization pipeline will consistently neutralize malicious HTML before the browser renders it, or that a trusted third-party service like Bing cannot be turned into an exfiltration channel by abusing the very trust relationships that make the product work.
The tension is structural. The same depth of integration that makes Copilot useful — deep access to email, calendar, files, and search across the entire Microsoft 365 estate — is what makes each exploitation so damaging when a chained attack gets through. A senior IT administrator at a large enterprise has no lever to pull here: because Copilot Enterprise runs as a managed cloud service, tenant administrators cannot patch, reconfigure, or roll back the components that failed in SearchLeak. Microsoft mitigates these flaws on its backend, typically without requiring any customer action, which is efficient but also means customers have no independent ability to verify that the fix actually holds.
Microsoft confirmed to BleepingComputer that it has rolled out protections addressing the SearchLeak scenario and is implementing additional measures to strengthen safeguards against similar techniques as part of its defense-in-depth approach. Varonis presented a proof-of-concept rather than observed in-the-wild exploitation, meaning there is no evidence that SearchLeak was used against real targets before the patch. That matters for assessing immediate risk, but it does not settle the longer question of whether the enterprise AI security model is keeping pace with the attack surface it is creating.
The scale of Microsoft’s security patching burden has grown dramatically alongside its AI ambitions — the company’s June 2026 Patch Tuesday addressed 206 separate vulnerabilities, a volume that security teams have explicitly tied to the expanding attack surface of AI-integrated products. SearchLeak did not appear on that Patch Tuesday because it had already been mitigated at the backend weeks earlier, but it belongs to the same trend.
For enterprise security teams with Copilot deployed, Varonis recommends monitoring for Copilot Search URLs containing encoded payloads or HTML content in the q parameter, and flagging unusual outbound requests to Bing’s image endpoints. Tightening data-access governance to limit what Copilot indexes reduces what any future exploit can reach. None of these measures close the underlying vulnerability — they narrow the blast radius while waiting for the next backend patch.
What Varonis has shown three times now — and what the broader pattern of Microsoft security disclosures this year reinforces — is that prompt injection is not an exotic AI research problem. It is a practical attack primitive that makes decades-old web vulnerabilities newly dangerous whenever an AI assistant sits between a user and their data. The question Microsoft has not yet answered publicly is whether the response to that problem is an infinite series of backend patches, or a rethinking of how much access a one-click AI tool should silently inherit from the user who clicked.
