BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

Microsoft 365 SearchLeak Bug Exposed Data in One Click

SearchLeak exploit steals Microsoft 365 Copilot data via a one-click attack chain.

  • A one-click exploit called SearchLeak could exfiltrate emails, calendar details, and indexed files from Microsoft 365 Copilot Enterprise Search.
  • The attack chained three bugs: a “Parameter-to-Prompt injection,” a race condition in response sanitization, and a CSP bypass using Bing’s image search.
  • Microsoft mitigated the critical flaw, assigned CVE-2026-42824, on its backend; no customer action was required.

On June 15, 2026, security researchers at Varonis Threat Labs disclosed a critical vulnerability in Microsoft 365 Copilot Enterprise Search. A single click on a malicious Microsoft link could have let an attacker steal sensitive data. Dubbed SearchLeak, this flaw exploited AI-specific weaknesses alongside classic web bugs, according to the researchers.

- Advertisement -

The attack chain began with a Parameter-to-Prompt injection via the search URL. Consequently, Copilot would execute injected commands to pull data like email subjects. This data was then embedded into an image tag before security guardrails could activate.

Meanwhile, a race condition allowed the browser to render the malicious tag during streamed output. The browser’s Content Security Policy was bypassed by pointing the image to a Bing.com endpoint. Bing would then fetch the attacker’s URL, acting as an unwitting exfiltration proxy.

The potential impact was significant, as Copilot inherits the signed-in user’s access. An attacker could thus harvest one-time codes, MFA tokens, or password-reset links directly from the victim’s inbox. Furthermore, calendar invites, meeting notes, and indexed files from SharePoint or OneDrive were also at risk.

Microsoft assigned CVE-2026-42824 to the flaw, which the National Vulnerability Database also listed. This incident follows a similar pattern demonstrated earlier by Varonis against Copilot Personal. It also echoes the EchoLeak vulnerability (CVE-2025-32711) disclosed by Aim Security in 2025.

- Advertisement -

The company mitigated the issue on its backend, so customers needed no action. For defense, organizations were advised to monitor for suspicious Copilot search URLs and unusual requests to Bing. Tightening data-access governance for Copilot was also recommended to limit potential exposure.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

Nvidia’s Kyber AI rack delayed to 2028: report

NVIDIA's next-generation Kyber server rack, designed for Rubin Ultra chips, is delayed to 2028...

TrojPix Air-Gap Attack Uses Monitor Cables

Researchers at Shandong University have demonstrated a new covert data exfiltration technique called TrojPix.The...

Bitcoin Reclaims $63k as Crypto Market Sees July Reversal

Bitcoin (BTC) reclaimed $63,000 in early July 2026, signaling a market reversal after a...

2026 ASEAN SHOP Opens in Kuala Lumpur to Drive Southeast Asia’s Smart Retail Growth

KUALA LUMPUR, Malaysia. ASEAN SHOP will host its 2026 edition at the MITEC Pavilion...

Bitcoin Data Strong Amid Selling and Yield Fears

Despite a zero ByteTrend score, the Bitcoin network's weekly on-chain transaction value is $13.5...

Must Read

A Beginner’s Guide To Cryptocurrency Mining

Cryptocurrency is considered one of the most popular forms of financial assets today. Many of these digital assets operate within blockchain technology which works...
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading