New Delhi | A serious cybersecurity warning has emerged around Microsoft 365 Copilot Enterprise after researchers uncovered a complex attack chain dubbed “SearchLeak,” which could potentially allow attackers to steal sensitive user data through a specially crafted link.
According to cybersecurity researchers at Varonis, the attack combined multiple vulnerabilities, including prompt injection, an HTML rendering race condition, and a Server-Side Request Forgery (SSRF) flaw. While each issue alone may not appear highly dangerous, chaining them together created a powerful data exfiltration technique capable of extracting sensitive enterprise information.
FCRF’s Flagship Cyber Law Certification Returns With a New Four-Week Cohort
The attack reportedly begins with a specially designed URL containing the “q” parameter, which is used by Copilot Search to process queries. In this scenario, attackers could manipulate the parameter to instruct Copilot to automatically scan a user’s mailbox, meeting notes, and stored files without any direct input from the victim.
Researchers explained that the manipulated system could be tricked into extracting data and embedding it within an image URL, effectively hiding the stolen information in a format that appears harmless during normal processing.
The second stage of the attack exploits an HTML rendering race condition. During Copilot’s streaming response, the browser temporarily renders raw HTML before it is fully sanitized. In this short window, malicious code—particularly an attacker-controlled <img> tag—can execute and trigger external network requests before security filters are applied.
The third and final stage involves abusing Bing’s “Search by Image” feature. Here, an SSRF vulnerability allows the attacker to route requests through Bing’s infrastructure. Since the request originates from a trusted Microsoft service, Content Security Policy (CSP) protections are effectively bypassed, enabling data leakage to the attacker’s server.
Varonis researchers noted that this entire process occurs silently and rapidly, making it difficult for users to detect any abnormal behavior. From the victim’s perspective, Copilot simply appears to be processing a normal query, while sensitive data such as emails, access credentials, calendar entries, and documents may be exfiltrated in the background.
One of the key concerns highlighted by researchers is the combination of AI prompt injection techniques with traditional web vulnerabilities. This fusion significantly expands the attack surface, turning previously low-risk bugs into high-impact security threats in AI-driven environments.
Microsoft has classified the issue under CVE-2026-42824 and assigned it a Critical severity rating. The company has already released a patch addressing the vulnerability, stating that no additional user action is required to stay protected.
Security experts say the incident highlights a growing trend in which AI-powered enterprise tools, due to their deep integration with organizational data, are becoming increasingly attractive targets for cyber attackers. As systems like Copilot gain broader access to emails, documents, and cloud storage, the potential impact of exploitation increases significantly.
Experts further warn that such attack methods could become more common in the future, where a single malicious link click could potentially expose entire corporate data environments. For now, Microsoft and security researchers continue to monitor and strengthen AI security frameworks to prevent similar exploitation techniques.
