- Varonis discovered “SearchLeak”, chaining three flaws in Microsoft 365 Copilot to allow data theft with a single click
- The attack leveraged fast injection, HTML race condition, and Bing SSRF to leak data from Inbox, OneDrive, and SharePoint.
- Microsoft patched CVE-2026-42824 earlier this month, rating it a critical 10/10
Experts have discovered a way to turn Microsoft 365 Copilot into a one-click data theft tool, capable of extracting sensitive information from people’s inboxes, OneDrive and SharePoint instances.
The method was recently patched by Microsoft and was developed by security researchers Varonis, who called it SearchLeak and explained that it works by chaining three vulnerabilities.
Separately, these three can’t do much damage, but together they are strong enough to warrant a patch.
Exfiltration proxy
The three flaws that are chaining together are a request parameter injection, an HTML rendering race condition, and a content security policy (CSP) bypass enabled by Bing’s server-side request forgery (SSRF).
The attack begins when a victim clicks on a specially crafted Microsoft 365 Copilot Enterprise Search link. The URL contains hidden instructions in the search query parameter, which instruct Copilot to search the victim’s emails, OneDrive files, SharePoint documents, or calendar data and include the results within an image URL.
When Copilot generates its response, a race condition causes the browser to briefly display attacker-controlled HTML before Microsoft’s sanitization process completes. This allows an image tag containing the stolen data to be executed.
Finally, the image request is routed through Bing’s “Search by Image” feature and, due to the SSRF flaw, Bing is able to retrieve the URL controlled by the attacker on behalf of the victim and bypass Content Security Policy protections. The sensitive data embedded in the URL is transmitted to the attacker’s server, where they can retrieve it from web request logs.
“Bing becomes an unintentional exfiltration proxy,” the researchers explained. “A classic SSRF, hidden in plain sight behind a CSP allowlist entry.”
Varonis says that on the victim’s side, all they see is a normal Copilot search session, and emphasized that AI has transformed simple, easy-to-address vulnerabilities, such as SSRF and HTML injection race conditions, into powerful vulnerabilities.
Earlier this month, Microsoft patched the flaw, assigning it a maximum severity rating (10/10 critical) and tracking it as CVE-2026-42824.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
