Varonis Threat Labs researcher Dolev Taler disclosed SearchLeak in June 2026 — a three-stage attack chain that transforms Microsoft 365 Copilot Enterprise into a one-click data exfiltration weapon. The vulnerability, tracked as CVE-2026-42824 and rated critical by Microsoft, chains a novel Parameter-to-Prompt (P2P) injection with an HTML rendering race condition and a Bing server-side request forgery to silently extract emails, calendar data, SharePoint documents, OneDrive files, and MFA one-time codes from a victim's Microsoft 365 tenant — triggered by a single click on a malicious URL, completing in seconds, leaving no user-visible trace. Microsoft has fully patched the vulnerability server-side; no user or administrator action is required to receive the fix. But the implications of SearchLeak extend well beyond CVE-2026-42824: it is the clearest demonstration to date that Copilot-class AI integrations inherit — and materially amplify — the data access surface of every user who deploys them, and that the vulnerability class it represents will produce further disclosures.
The Attack Chain: Three Stages, One Click
SearchLeak succeeds because it chains three distinct weaknesses — one novel to AI systems and two classic web security bugs — in a sequence that bypasses each layer of Microsoft's output security controls in turn.
Stage 1 — Parameter-to-Prompt injection. The attacker crafts a URL containing a malicious payload in the q query parameter. When the victim opens the link, Copilot reads the q value directly as a user instruction and executes it — searching the victim's entire M365 tenant for the data the attacker specified: email subjects, OTP codes, document titles, calendar content. This is a novel attack class distinct from traditional prompt injection: the attacker does not need to have previously injected content into the victim's data store. The payload arrives via the URL and is executed with the victim's full Copilot permissions at the moment of the click.
Stage 2 — HTML rendering race condition. As Copilot streams its response, it constructs HTML output that is subject to an output sanitization pipeline. Varonis identified a race condition in this pipeline: an attacker-controlled <img> tag can be injected into the response HTML and fires before sanitization completes. The image tag embeds the stolen data — email content, file names, OTP values — in its src URL parameter. Because the tag executes before the sanitizer strips it, the browser sends the request containing the exfiltrated data.
Stage 3 — Bing SSRF and Content Security Policy bypass. The image request does not go directly to an attacker-controlled server. Instead, it is routed through Bing's image retrieval endpoint — a Microsoft-operated server. This is the critical design of the attack: the page's Content Security Policy blocks requests to external domains, but explicitly permits requests to Microsoft infrastructure. Because the exfiltration path runs through Bing, it passes the CSP check entirely. The stolen data reaches the attacker's server embedded in the referrer header or URL parameter of what appears in network logs as a routine Bing image request.
The complete chain — URL click, Copilot search execution, HTML injection, Bing-proxied exfiltration — completes in under ten seconds. The victim sees no error, no unusual UI behaviour, and no indication that any data left the tenant. Standard SIEM and DLP solutions do not flag the exfiltration because the traffic originates from Microsoft infrastructure and matches the expected pattern of Copilot's CDN activity.
What Data Was Accessible
The attack's reach is defined by Copilot's indexed scope — which for an enterprise deployment is, by design, the entire M365 data estate accessible to the authenticated user. Varonis demonstrated extraction of:
Email content, including subject lines and message bodies. Critically, this includes emails containing OTP and MFA codes sent by authentication systems — the attacker can extract a valid one-time code from the victim's inbox and use it to authenticate to a second factor before it expires. Calendar items, including meeting subjects, agendas, and attendee lists. SharePoint documents that Copilot has indexed: financial reports, board materials, contracts, strategic plans. OneDrive files accessible to the victim account. Any other content that the Copilot Enterprise search index covers for that user's permission scope.
The MFA code extraction vector is the most operationally severe consequence. An attacker who delivers the SearchLeak URL to a target can, within seconds, obtain a valid one-time password sent to the victim's email and use it to bypass MFA for any service that delivers OTPs via email — including VPN access, banking portals, and identity management systems. The window is narrow — typically 30–60 seconds — but the attack completes well within it.
Swiss Enterprise Exposure: M365 Copilot in Regulated Sectors
Microsoft 365 Copilot Enterprise is actively deployed — or in advanced pilot phase — across Swiss banking, insurance, legal, and pharmaceutical organisations. These are precisely the sectors where the data Copilot indexes carries the highest regulatory sensitivity: client communications subject to banking secrecy, health data protected under the nDSG, personal data with GDPR obligations for EU-resident data subjects, and strategic information subject to market abuse regulations.
The SearchLeak attack requires only that the victim clicks a malicious URL — a trivially achievable social engineering precondition in any phishing-capable threat actor's kit. The attacker does not need credentials, does not need network access to the M365 tenant, and does not need to have compromised any prior system. A single targeted email with a malicious link, sent to a privileged M365 Copilot user with access to sensitive document libraries, is sufficient to exfiltrate those documents before the user finishes reading the decoy content.
For FINMA-supervised institutions, a successful SearchLeak exploitation before Microsoft's patch would constitute a reportable operational risk event under Circular 2023/1 if sensitive client or financial data was accessed. Under the nDSG, exfiltration of personal data about Swiss residents triggers the breach notification obligation to the FDPIC if the breach is likely to result in a high risk for the affected individuals. The stealth of the attack — zero user-visible indicators, exfiltration through Microsoft's own infrastructure — means detection would depend entirely on Copilot-specific monitoring that most Swiss organisations do not yet have in place.
◆ Key Takeaway
SearchLeak demonstrates that AI copilot integrations are not productivity tools with a security configuration — they are high-privileged data access intermediaries whose security posture determines the confidentiality of every document, email, and credential the underlying user can reach. CVE-2026-42824 has been patched. The architectural reality that made it possible — an AI assistant with tenant-wide data access rendering semi-trusted HTML content routed through trusted infrastructure — has not changed. The next vulnerability in this family is a matter of when, not whether.
The Broader Vulnerability Class
SearchLeak is not an isolated implementation bug — it is an instance of a vulnerability pattern that emerges wherever three conditions coincide: an AI assistant with broad access to user data; the ability to receive attacker-controlled instructions through an external channel (URL parameter, email body, document content); and HTML or rich-text rendering that can embed outbound requests before sanitization fires. These conditions describe not only M365 Copilot but a range of AI productivity integrations currently being deployed in enterprise environments.
Varonis's disclosure is the primary original research, published at varonis.com/blog/searchleak. The research represents a systematic exploration of the P2P injection class — a methodology that other security teams are now applying to comparable AI integrations. Swiss security teams should anticipate that similar findings against other AI assistant products will emerge in H2 2026 and model their AI governance frameworks accordingly.
- Verify your M365 tenant has received Microsoft's server-side patch. The fix is server-side and does not require user or admin action, but confirm with your Microsoft tenant administrator that your organisation is on the patched backend version. Microsoft's patch notes for CVE-2026-42824 provide the version identifiers to validate against.
- Audit the data scope that Copilot can access for each user role. Copilot indexes everything the authenticated user can access. Apply SharePoint sensitivity labels and information barriers to restrict Copilot's effective search scope to data that is appropriate for the user's role. A Copilot deployment where every user can search every SharePoint site is an unnecessarily large exfiltration surface.
- Implement Copilot-specific DLP monitoring. Standard M365 DLP policies do not cover Copilot's search and synthesis activities. Configure Microsoft Purview Data Security Posture Management for Copilot, and define alerts for anomalous search patterns — specifically queries targeting financial documents, authentication emails, or executive communications from accounts that do not typically access those content categories.
- Treat MFA codes delivered via email as a weakened second factor. SearchLeak's ability to extract in-transit OTP codes is a structural consequence of email-delivered MFA. For high-privilege accounts — executives, system administrators, finance personnel with payment authorisation — migrate to TOTP authenticator apps or hardware security keys that do not route through M365.
- Include Copilot and AI assistant integrations in your annual red team scope. P2P injection and HTML rendering race conditions are now established attack classes with documented proof-of-concept code available to skilled researchers. Your red team's AI attack coverage should include URL-delivered instruction injection, content-delivered prompt injection, and data exfiltration via trusted infrastructure proxies.
- Classify your M365 Copilot Enterprise deployment in your nDSG and GDPR data processing inventory. Copilot processes all data accessible to the authenticated user, including personal data about employees, clients, and counterparties. This processing must be documented with an appropriate legal basis, and the data protection impact assessment must account for the risk that AI-assisted access creates relative to direct file access.
- For FINMA-supervised entities: assess whether a SearchLeak exploitation would have triggered mandatory notification. Run a tabletop exercise against the scenario: attacker delivers SearchLeak URL to a relationship manager with Copilot access to client emails and deal documents. What data would have been accessible? What is the notification threshold? Is your incident response runbook current for AI-sourced data exfiltration?
SearchLeak will not be the last vulnerability of its type. The pattern — AI assistant with broad enterprise data access, instruction injection via URL parameter, exfiltration via trusted infrastructure to bypass CSP — is a reproducible template that security researchers are actively probing across every major AI product. Microsoft's patch closes the specific CVE. It does not close the research direction. Swiss enterprises that treat Copilot and equivalent AI integrations as extensions of existing M365 governance — subject to the same data classification, access control, monitoring, and incident response frameworks as direct SharePoint and Exchange access — will be better positioned for the next disclosure than those that manage AI tools as a separate, lighter-touch category. The exfiltration was silent. The governance response should not be.