A single click on a trusted **microsoft.com** domain could have allowed an attacker to pull emails, calendar details, and indexed files from **Microsoft 365 Copilot Enterprise Search**. Researchers at **Varonis Threat Labs** discovered and chained three bugs into a one-click exfiltration path they named **SearchLeak**. Crucially, because the malicious link pointed to a legitimate **Microsoft** domain, traditional anti-phishing and URL filtering tools were unlikely to flag it. The attack required no prompts, no passwords, and no secondary clicks from the victim. **Microsoft** assigned **CVE-2026-42824** to the flaw, marking it as critical. While **Microsoft's** CVSS score was 6.5, the **National Vulnerability Database** assessed it higher at 7.5. The company has since mitigated the flaw on its backend, meaning customers are no longer at risk, and **Varonis** presented a proof-of-concept without observing any in-the-wild exploitation. ## Three Bugs, One Click **Microsoft's** advisory describes the flaw as a command injection capable of exposing information over a network. In practice, **SearchLeak** combines one AI-specific weakness with two older web vulnerabilities, with each component essential for the attack chain. The entry point is the `q` parameter in the **Copilot Enterprise Search** URL. While intended for natural-language queries, **Copilot** interpreted whatever was placed there as direct instructions, not merely a search string. **Varonis** refers to this as **Parameter-to-Prompt injection**. An attacker could craft a URL that instructed **Copilot** to search the victim's mailbox, extract an email title, and then embed that title within an image URL. The victim's browser would then execute these instructions upon a single click. The second vulnerability involved a race condition during rendering. **Microsoft's** safeguard wraps **Copilot** output in `<code>` blocks to ensure browsers treat markup as text. However, this wrapping occurred *after* **Copilot** finished generating the output, while the browser rendered the stream as it arrived. The injected `<img>` tag was drawn and triggered its request before the sanitizer could neutralize it. The final link in the chain bypassed the page's **Content Security Policy (CSP)**. The **CSP** on `m365.cloud.microsoft` blocked images from arbitrary domains but explicitly allowlisted `*.bing.com`. **Bing's** "Search by Image" endpoint accepts an image URL and fetches it server-side for analysis. By pointing this fetch to an attacker's server with the stolen text encoded in the path, **Bing** effectively retrieved the data. The browser's **CSP** never applied because the request originated from **Bing's** infrastructure, making **Bing** an unwitting exfiltration proxy.  In summary: a victim clicks, **Copilot** searches their data, the response embeds a value (e.g., an email subject) in a **Bing** image URL, the browser calls **Bing** during streaming, and **Bing** then requests the attacker's URL. The attacker could then log this request, reading the stolen information, such as `Your_Security_Code_847291/img.png`. ## What an Attacker Gains **Copilot Enterprise** can access whatever the signed-in user can via their **Microsoft Graph** access. An attacker exploiting **SearchLeak** would inherit this level of access without ever needing to log in. Immediate targets include time-sensitive data such as one-time codes, MFA codes, and password-reset links, which are often valid for a few minutes. A script could rapidly lift these from logs and potentially take over an account before the victim notices. Beyond immediate account compromise, the same access extends to calendar invites, meeting notes, and any **SharePoint** or **OneDrive** file indexed by **Copilot**. This could expose highly sensitive corporate data, including salary information, earnings figures, and acquisition plans. **SearchLeak** marks the second instance where **Varonis** has demonstrated this attack pattern. **Varonis** researcher **Dolev Taler** previously showcased a similar one-click technique in an earlier **Reprompt attack** against **Copilot Personal**. The fact that it held up against **Enterprise Search**, despite its supposed enhanced guardrails, is particularly concerning. This pattern also appeared in **EchoLeak** (**CVE-2025-32711**), the zero-click **Copilot** data-leak bug disclosed by **Aim Security** in 2025. While **SSRF** and sanitizer races are older vulnerability classes, the **prompt injection** element is novel, making these well-known bugs exploitable in new contexts. **Microsoft** has mitigated the flaw on its backend. As **Copilot Enterprise** is a managed service, tenant administrators cannot directly patch or reconfigure the affected components. However, organizations can enhance their vigilance and containment strategies. Admins should monitor **Copilot Search** URLs for encoded payloads or HTML within the `q` parameter, and look for unusual outbound requests to **Bing's** image endpoints. Additionally, tightening data-access governance to reduce what **Copilot** indexes can significantly shrink the potential impact of any future data leaks.