One‑Click Link Exposes Enterprise Data Through Microsoft 365 Copilot Vulnerability
SearchLeak is a critical, three‑stage vulnerability chain in Microsoft 365 Copilot Enterprise that lets an attacker exfiltrate MFA codes, emails, calendar details and confidential files with a single click by abusing the q parameter, bypassing Copilot’s HTML sanitization, and leveraging Bing’s SSRF capability, now fully patched by Microsoft.
Microsoft 365 Copilot Enterprise was found to contain a critical vulnerability chain, dubbed SearchLeak (CVE‑2026‑42824), that allows an attacker to steal MFA codes, email, calendar, and confidential files with a single click.
1. Vulnerability Overview
SearchLeak is not a single flaw but a chain of three weaknesses in the Copilot search feature, discovered by Varonis Threat Labs researcher Dolev Taler and rated with Microsoft’s highest severity.
2. Three‑Stage Attack Chain
Stage 1 – Parameter‑to‑Prompt Injection (P2P Injection)
The Copilot search endpoint accepts a q URL parameter that is processed both as a natural‑language query and as an executable instruction. An attacker crafts a link to a legitimate microsoft.com domain that instructs Copilot to search the victim’s mailbox and embed the extracted data in an image URL.
Stage 2 – Bypassing the Security Wrapper
Copilot wraps its output in a <code> block after generation to prevent browsers from rendering dangerous HTML. During the streaming phase, the injected <img> tag’s raw HTML is rendered in the DOM before the sanitizer runs, creating a textbook race‑condition bypass.
Stage 3 – SSRF via Bing
Because *.bing.com is on the CSP allowlist, the attacker leverages Bing’s “image‑search” feature, which accepts an imgurl parameter and performs a server‑side fetch. The stolen data is placed in the Bing image‑search URL path, causing Bing’s backend to relay the data to the attacker’s server, fully bypassing CSP.
The entire exploit requires only a malicious link sent through email, Teams, Slack, or any messaging channel. Clicking the link triggers a silent Copilot search, generates a response containing the embedded Bing URL, and the attacker’s server records the exfiltrated information within seconds, without any second click.
3. Impact and Mitigation Status
No special permissions required : the attack works against any logged‑in user.
No browser plugins needed .
Single‑click execution : one click completes data theft.
Bypasses traditional defenses because the link points to a legitimate Microsoft domain.
Microsoft has applied a server‑side fix; users receive the remediation automatically.
4. Defense Recommendations
Monitor Copilot search URLs for HTML or image‑embedding payloads in the q parameter.
Audit CSP allowlists and scrutinize any domain that performs server‑side fetches on behalf of users.
Treat AI streaming output as untrusted; perform sanitization at render time rather than as a post‑processing step.
Educate users to verify Microsoft 365 links that contain unusually long encoded query strings before clicking.
5. Related Incident
SearchLeak follows the earlier Reprompt vulnerability discovered in Copilot Personal; both illustrate a growing trend where AI assistants resurrect classic vulnerabilities in new contexts, creating hard‑to‑detect attack surfaces.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Black & White Path
We are the beacon of the cyber world, a stepping stone on the road to security.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.
