Researchers Turned Microsoft 365 Copilot Into a One-Click Email and Document Theft Tool

Security researchers at Varonis disclosed on June 15 a critical vulnerability chain in Microsoft 365 Copilot Enterprise Search that allowed attackers to steal emails, calendar events, passwords stored in email, and SharePoint documents using nothing more than a malicious link. Microsoft, which rated the flaw CVE-2026-42824 as Critical and patched it in early June 2026, confirmed the technique worked silently — victims would see no indication their data was being collected.

Varonis named the attack "SearchLeak." It chains three distinct weaknesses into a single, automated exfiltration path that bypasses both Microsoft's content sanitization and its Content Security Policy protections. As reported by BleepingComputer, no active exploitation has been identified, but the technique is straightforward enough that exploitation before the patch was plausible.

How the Three-Stage Attack Chain Works

The attack begins with a URL. An attacker sends a victim a link — embedded in a phishing email, Slack message, or Teams chat — that points to Microsoft 365 Copilot Search with a crafted query parameter. That query instructs Copilot's AI to search the user's emails and extract specific content, like access codes or meeting details, then embed that content into an outbound image URL.

Stage two exploits a race condition in how Copilot renders HTML during streaming. Before Microsoft's sanitization layer can strip dangerous tags, an <img> element in the raw output fires — making an outbound HTTP request carrying the stolen data in the URL parameters. This happens in milliseconds, before the user sees anything unusual.

Stage three bypasses Copilot's Content Security Policy, which should block outbound requests to unknown servers. Varonis found they could route the exfiltration through Bing's "Search by Image" feature — a trusted Microsoft service that Copilot is permitted to contact. The stolen data arrives at the attacker's server having passed through Microsoft infrastructure the entire time.

What Data Was at Risk

Through a single crafted link, the chain could extract virtually any content accessible to the user's Copilot Enterprise license: email bodies (including one-time codes, password reset links, and internal credentials shared via email), calendar events with attendees and meeting content, SharePoint and OneDrive documents, and anything else indexed in Enterprise Search. The scope is determined by what the AI is instructed to search for — an attacker could target specific keywords, recent emails, or named file types.

The silent nature of the attack is what makes it particularly concerning. Unlike browser-based XSS, there is no visible redirect, no page change, and no error. A victim clicking a link in a phishing email would simply see a normal Copilot search result — while their data left the building in the background.

The Broader Pattern: AI as an Attack Surface

SearchLeak follows a growing pattern of researchers finding that enterprise AI tools introduce new attack surfaces that don't map neatly to existing defenses. Prompt injection — the technique at stage one of this chain — is not a traditional code vulnerability. It exploits the fact that AI assistants accept natural-language instructions, and an attacker-controlled instruction (embedded in a URL parameter) is interpreted the same way as a legitimate user request.

Microsoft has faced similar disclosures in Copilot for Microsoft 365, Azure OpenAI Service, and Bing Chat over the past 18 months. The common thread: content sanitization and security policies designed for web pages don't automatically extend to AI-generated output, which can include HTML, embedded links, and external resource requests produced by the model itself rather than the page author.

Mitigation

Microsoft patched CVE-2026-42824 server-side in early June 2026 as part of a broader Copilot service update, with the fix reaching all customers before the public disclosure. No user action or client update is required. Organizations using Microsoft 365 Copilot Enterprise should confirm they are on a post-June service version, and security teams should review whether similar parameter-injection risks exist in any internal AI tools that accept URL-based query parameters.