Share with your CISO
Microsoft has patched a critical vulnerability in 365 Copilot Enterprise, catalogued as CVE-2026-42824, that researchers at Varonis named “SearchLeak.” The attack chains three weaknesses: prompt injection via a manipulated search URL, an HTML rendering race condition during Copilot’s streaming response, and a server-side request forgery flaw routed through Bing’s infrastructure. Together, they allowed silent exfiltration of emails, credentials, calendar entries, and documents from a single malicious link click. Microsoft says the SearchLeak patch requires no user action to take effect.
What this means for your business
The attack required zero interaction beyond the victim opening a link. No credential theft, no malware download, no suspicious prompt the user could second-guess. That’s a qualitatively different threat model than anything your existing security awareness training addresses. If Copilot is deployed across your organization today, your employees were exposed to a silent exfiltration path that looked, from their seat, like a normal AI query completing.
The deeper problem is what Varonis actually demonstrated: individually low-severity bugs become critical when an AI system sits between them and your data. Each of the three flaws in SearchLeak was unremarkable in isolation. Chained through Copilot’s privileged access to mailboxes, files, and calendars, they produced a data exfiltration technique that bypassed Content Security Policy entirely by routing through Bing’s own trusted infrastructure. The AI’s deep integration is the amplifier, not a coincidence. Every enterprise AI tool granted broad data access inherits this compounding risk profile.
The signal worth watching: vendors are now racing to deploy AI agents with ever-wider data permissions while their security teams are still catching up to the attack surface those permissions create. Microsoft patched this one. The question your team needs to answer is how many similar chains exist in the other Copilot features, the other AI platforms, and the third-party integrations your organization approved last quarter before this class of vulnerability had a public CVE attached to it.
Concept deep-dive: Prompt injection via URL parameter
Prompt injection is an attack where malicious instructions are smuggled into the input an AI model processes, overriding its intended behavior. It exists because large language models cannot reliably distinguish between legitimate user instructions and adversarial ones embedded in content they’re asked to read. Think of it as a forged memo slipped into a stack of documents the model is summarizing. In SearchLeak, the injected instruction arrived through Copilot’s search query parameter and told the model to silently scan and exfiltrate data rather than answer a question. No user awareness required.
Based on reporting from Microsoft Patches Critical SearchLeak Flaw in 365 Copilot, originally published 2026-06-15 11:20:00.

