Varonis Reveals SearchLeak Exploiting Copilot Enterprise

Varonis Threat Labs published a technical disclosure named SearchLeak (CVE-2026-42824), describing a proof-of-concept three-stage vulnerability chain that abuses Microsoft 365 Copilot Enterprise Search to exfiltrate enterprise data, according to Varonis' blog post and technical report. Varonis reports the chain can surface and transmit emails, two-factor authentication codes, meeting details, SharePoint documents, and OneDrive files from a Copilot Enterprise tenant after a single click on a crafted link. Multiple security outlets, including BleepingComputer, Dark Reading, and The Hacker News, report that Microsoft addressed the issue and that the finding received a maximum "critical" severity rating, per the public reporting and Varonis' disclosure.

Per Varonis' writeup, SearchLeak chains three distinct weaknesses: Parameter-to-Prompt (P2P) injection, where the q URL parameter sent to Copilot Enterprise Search is treated as executable prompt input; an HTML rendering race condition that permits temporary rendering of attacker-controlled HTML (for example an <img> tag) before sanitization completes; and a Content Security Policy bypass achieved via Bing's image search acting as a server-side request forgery (SSRF) proxy to fetch attacker-controlled URLs. Varonis demonstrates how these steps allow Copilot to search indexed organizational content and embed results in outbound requests that Bing then retrieves, delivering the data to an attacker-controlled endpoint, as described in the technical notes.

Editorial analysis: Industry reporting frames SearchLeak as a concrete instance of an "AI-native" attack surface: prompt-injection techniques chain with well-known web vulnerabilities (race conditions, SSRF) to create new exfiltration paths. Observers in published coverage note the increased blast radius when the targeted assistant runs with enterprise search permissions and has access to mailboxes and storage, since compromised outputs can include cross-organizational artifacts.

Editorial analysis: Companies running hosted AI assistants that index enterprise data should treat prompt-injection as a class of risk that can amplify otherwise ordinary web bugs. Hardening efforts that focus only on traditional phishing detection or URL filtering can miss attacks that execute from trusted domains, because SearchLeak's vector uses microsoft.com links and relies on in-product behavior rather than user-supplied attachments or external executables. Published coverage highlights that exploitability arises from chaining relatively low-severity issues into a critical end-to-end path.

Observers will likely track vendor mitigations for prompt handling, streaming sanitization timing, and downstream service fetch policies (for example, how image search endpoints validate or restrict fetch targets). Public reporting cites Microsoft's remediation of SearchLeak under CVE-2026-42824 and notes the critical severity designation, but security practitioners will be watching for similar prompt-injection chains in other AI-integrated enterprise tools that share enterprise search permissions.