Vulnerabilities4 min read
SearchLeak Let Attackers Steal M365 Emails and MFA Codes in One Click
CVE-2026-42824 chained prompt injection, a timing race, and CSP bypass to exfiltrate Outlook emails, OneDrive files, and MFA codes via Microsoft 365 Copilot. Now patched.
Marcus ChenJun 23, 2026