SearchLeak: How We Turned M365 Copilot Into a One-Click Data Exfiltration Weapon

2026-06-24 · Source: Cloud Security Alliance · Field: Technology & Digital — Cybersecurity & Data Privacy, Artificial Intelligence & Machine Learning · Depth: Advanced, medium

Summary

Varonis Threat Labs discovered SearchLeak, a critical vulnerability chain (CVE-2026-42824) in Microsoft 365 Copilot Enterprise, published on 06/24/2026. This three-stage attack allows one-click data exfiltration of sensitive information like MFA codes, emails, meeting details, and private organizational files from a victim's mailbox, calendar, SharePoint, and OneDrive. SearchLeak combines a Parameter-to-Prompt (P2P) Injection, an HTML Rendering Race Condition, and a Server-Side Request Forgery (SSRF) via Bing. The attack leverages a trusted microsoft.com domain, bypassing traditional anti-phishing, and requires no special permissions, making it difficult to detect and enabling broad data theft scenarios within an organization.

Key takeaway

For AI Security Engineers managing Microsoft 365 Copilot Enterprise environments, you must recognize that AI introduces new attack surfaces that can re-enable classic web vulnerabilities. Proactively monitor for suspicious Copilot Search URLs containing encoded payloads and review your Content Security Policy allowlists for domains that perform server-side fetches. You should also treat all AI streaming output as untrusted, ensuring sanitization occurs at render time to prevent race conditions.

Key insights

AI-specific vulnerabilities can chain with classic web bugs to create novel, potent data exfiltration paths.

Principles

• AI creates new attack surfaces for classic web vulnerabilities.
• Sanitization of AI streaming output must occur at render time.
• Allowlisted domains performing server-side fetches pose SSRF risks.

Method

An attacker crafts a URL with a P2P injection, triggering an HTML race condition during Copilot's streaming output, which then uses Bing's allowlisted SSRF endpoint to exfiltrate data.

In practice

• Monitor Copilot Search URLs for encoded payloads.
• Review CSP allowlists for server-side fetch capabilities.
• Treat AI streaming output as untrusted at all stages.

Topics

• Microsoft 365 Copilot
• Data Exfiltration
• Parameter-to-Prompt Injection
• Server-Side Request Forgery
• HTML Injection
• Vulnerability Chain
• AI Security

Best for: CTO, VP of Engineering/Data, Director of AI/ML, AI Security Engineer, Security Engineer, IT Professional

Related on AIssential

• Critical Copilot vulnerability allowed hackers to steal 2FA code from users — AI models struggle to distinguish user instructions from malicious embedded commands, creating fundamental security vulnerabilities.
• SearchLeak: Prompt-inject enterprise Copilot with a search — Prompt injection remains a fundamental security flaw in enterprise chatbots.
• Copirate 365 at DEF CON: Plundering in the Depths of Microsoft Copilot (CVE-2026-24299) — AI assistants with private data, untrusted content, and external communication form a "lethal trifecta" for data exfiltration.
• The Red Agent POV: How it Reasoned its Way to SSRF — AI-driven Red Agent found a complex SSRF-to-LFR exploit by reasoning through application-specific behaviors and validator-fetcher parsing differentials.
• Out of the Crypt: The Evolving Cyber Extortion Economy — Data theft and regulatory pressure now drive cyber extortion, with AI poised to drastically accelerate attack timelines.
• Microsoft Says Copilot AI Helped Knock Down Cybercrime Tools — Microsoft's Copilot AI reportedly aided in disrupting cybercrime operations.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Cloud Security Alliance.