A critical vulnerability chain called SearchLeak in Microsoft 365 Copilot Enterprise could let attackers steal sensitive data from mailboxes, OneDrive, and SharePoint through a specially crafted URL. Microsoft fixed the flaw as CVE-2026-42824, while researchers showed how prompt injection, an HTML rendering race condition, and a Bing SSRF issue could be chained to exfiltrate emails, calendar details, and documents. #Microsoft365CopilotEnterprise #SearchLeak #CVE-2026-42824 #Bing #Varonis
Keypoints
- SearchLeak targets Microsoft 365 Copilot Enterprise through a specially crafted URL.
- The attack can expose emails, calendar events, documents, and OneDrive or SharePoint content.
- Researchers chained parameter-to-prompt injection, HTML rendering race conditions, and CSP bypass techniques.
- Bingβs Search by Image feature was abused as an SSRF-based exfiltration proxy.
- Microsoft patched the issue and assigned it CVE-2026-42824 with critical severity.