Overview
- Security researchers at Varonis built a proof-of-concept called SearchLeak that chains three flaws into a single attack that runs when a user clicks a trusted Copilot Search URL.
- The chain uses a parameter-to-prompt injection in the 'q' URL parameter, an HTML streaming race that lets a temporary tag fire, and Bing’s server-side "Search by Image" fetch as an involuntary exfiltration proxy.
- An attacker using the chain could extract sensitive content that Copilot Search can access, including emails, calendar items, OneDrive and SharePoint files, and short-lived items such as one-time codes and password reset links.
- Microsoft assigned the issue CVE-2026-42824, implemented server-side mitigations to Copilot Enterprise, and noted tenant administrators cannot patch the managed service; Varonis reported a PoC but no known in-the-wild exploitation and CVSS scores differ between vendors.
- Defenders should monitor Copilot Search 'q' parameters for encoded or HTML payloads, watch for unusual Bing image endpoint requests, tighten what Copilot indexes, and treat prompt-injection as an attack surface that can revive old web bugs like SSRF and HTML injection races.