SearchLeak Let Attackers Steal M365 Emails and MFA Codes in One Click
CVE-2026-42824 chained prompt injection, a timing race, and CSP bypass to exfiltrate Outlook emails, OneDrive files, and MFA codes via Microsoft 365 Copilot. Now patched.
5 articles tagged with "Copilot"
CVE-2026-42824 chained prompt injection, a timing race, and CSP bypass to exfiltrate Outlook emails, OneDrive files, and MFA codes via Microsoft 365 Copilot. Now patched.
CVE-2026-26129, CVE-2026-26164, and CVE-2026-33111 allowed information disclosure via injection attacks in Microsoft 365 Copilot. No admin action required.
CVE-2026-26144 allows attackers to silently exfiltrate sensitive data through Microsoft Copilot Agent without user interaction. Patch now or disable Copilot.
Microsoft confirms Copilot bug bypassed DLP policies, reading confidential emails without authorization. European Parliament blocked Copilot over concerns.
Varonis researchers disclosed a vulnerability chain that let attackers exfiltrate user data through Copilot with a single malicious link click. Microsoft has patched the issue.