2026-06-155 mincritical

SearchLeak: How We Turned M365 Copilot Into a One-Click Data Exfiltration Weapon

Varonis Threat Labs discovered SearchLeak, a critical vulnerability chain in Microsoft 365 Copilot Enterprise Search (CVE-2026-42824). By chaining Parameter-to-Prompt (P2P) injection, an HTML rendering race condition, and a Server-Side Request Forgery (SSRF) via Bing's image search, attackers could exfiltrate sensitive organizational data via a single malicious link.

Conf:highAnalyzed:2026-06-15Google

IOCs · 3

.txt .json

cve
CVE-2026-42824
domain
kizafair[.]comAttacker-controlled domain used for data exfiltration in the PoC payload.
url
hxxps://kizafair[.]com/zero-trust-smart-doorbell-project/proj[.]pngExfiltration URL embedded in the malicious Copilot prompt via Bing SSRF (observed in PoC screenshots).

Detection / HunterGoogle

What Happened

Security researchers discovered a critical vulnerability chain called SearchLeak in Microsoft 365 Copilot Enterprise. Anyone using this enterprise AI tool could have their private emails, calendar events, and company files stolen if they clicked a single, seemingly safe Microsoft link. This matters because attackers could silently extract sensitive business data without needing passwords or triggering standard security alarms. Microsoft has already patched the issue, but organizations should remain vigilant about suspicious links and monitor their AI tools for unusual activity.

Key Takeaways

SearchLeak is a 3-stage vulnerability chain in M365 Copilot Enterprise Search enabling one-click data exfiltration.
The attack combines Parameter-to-Prompt (P2P) injection, an HTML rendering race condition, and a CSP bypass via Bing SSRF.
Attackers can silently extract emails, meeting details, and indexed organizational files without authentication.
The malicious link uses a trusted Microsoft domain, bypassing traditional anti-phishing and URL protection tools.
Microsoft has patched the vulnerability under CVE-2026-42824 with a Critical severity rating.

Affected Systems

Microsoft 365 Copilot Enterprise Search

Vulnerabilities (CVEs)

CVE-2026-42824

Attack Chain

The attacker sends a crafted Microsoft 365 Copilot Search link containing a malicious prompt in the 'q' parameter. When the victim clicks the link, Copilot executes the prompt, searching the victim's mailbox or files for sensitive data. Copilot then generates a response containing an HTML image tag with the stolen data embedded in the URL, which the browser renders before output sanitization occurs. The image source points to Bing's image search endpoint, which performs a server-side fetch to the attacker's domain, bypassing Content Security Policy (CSP) and exfiltrating the data.

Detection Availability

YARA Rules: No
Sigma Rules: No
Snort/Suricata Rules: No
KQL Queries: No
Splunk SPL Queries: No
EQL Queries: No
Other Detection Logic: No

The article does not provide specific detection rules, but recommends monitoring for suspicious Copilot Search URLs and reviewing CSP allowlists.

Detection Engineering Assessment

EDR Visibility: None — The attack occurs entirely within the cloud environment (M365 Copilot and Bing servers) and the browser's interaction with legitimate Microsoft domains, leaving no footprint on the endpoint OS. Network Visibility: Low — Network traffic is directed to legitimate Microsoft domains (m365.cloud.microsoft and bing.com) over HTTPS, making the malicious payload difficult to inspect without SSL decryption and deep packet inspection. Detection Difficulty: Hard — The attack uses trusted Microsoft domains, requires no authentication from the attacker, and leverages a race condition and SSRF, making it blend in with legitimate Copilot and Bing traffic.

Required Log Sources

M365 Audit Logs
Web Proxy / Secure Web Gateway logs

Hunting Hypotheses

copy:

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Users clicking on M365 Copilot search links with unusually long or encoded 'q' parameters containing HTML tags or prompt injection keywords.	Web Proxy logs, M365 Audit Logs	Execution	Low to Medium (Legitimate complex searches might occur, but HTML tags in the 'q' parameter are highly suspicious)
Copilot generating responses that trigger immediate outbound image requests to Bing's searchbyimage endpoint with external URLs.	Web Proxy logs	Exfiltration	Medium (Legitimate reverse image searches via Bing occur, but automated triggers from Copilot domains are suspicious)

Control Gaps

Content Security Policy (CSP) allowlisting overly broad endpoints (like Bing image search) that can perform SSRF
Output sanitization occurring post-stream rather than at render time

Key Behavioral Indicators

Encoded payloads in the Copilot 'q' parameter
Presence of <img> tags or 'searchbyimage' strings in Copilot search queries

False Positive Assessment

Recommendations

Immediate Mitigation

Verify against your organization's incident response runbook and team escalation paths before acting.
Ensure Microsoft 365 environments are fully updated and that Microsoft's patch for CVE-2026-42824 is applied (handled cloud-side by Microsoft).
Review M365 audit logs for suspicious Copilot search queries containing HTML tags or prompt injection attempts.

Infrastructure Hardening

Evaluate Content Security Policy (CSP) allowlists to ensure allowed domains cannot be abused for Server-Side Request Forgery (SSRF).
Consider implementing strict URL filtering or inspection for M365 Copilot links containing anomalous parameters.

User Protection

If supported by your web gateway, consider inspecting and blocking URLs targeting M365 Copilot with known prompt injection signatures.

Security Awareness

Train employees to inspect links before clicking, even if they point to trusted domains like microsoft.com.
Instruct users to report unusual AI assistant behavior, such as Copilot spontaneously searching emails without explicit user instruction.

MITRE ATT&CK Mapping

T1566.002 - Phishing: Spearphishing Link
T1190 - Exploit Public-Facing Application
T1530 - Data from Cloud Storage
T1567 - Exfiltration Over Web Service