Practical guides to protect yourself, your family, and your business from AI-driven scams, deepfakes, and emerging cyber threats.
Researchers built a link that looked like an ordinary Microsoft web address. A target clicked it. Microsoft 365 Copilot opened, searched the person's own mailbox, and shipped the contents of an email, including any security code sitting inside it, to a server the researchers controlled. No password was requested. There was no second click. The whole theft rode on one link to a genuine microsoft.com page.
That is SearchLeak, disclosed on June 15, 2026 by Varonis Threat Labs. Microsoft tracked it as CVE-2026-42824 and rated it critical. Here is why it matters past the clever demo: the attack reached real data through Copilot, the AI assistant a large share of enterprises now wire into their email, calendars and files, and it did so by turning the assistant's own helpfulness into the weapon.
The research came from Varonis researcher Dolev Taler, who aimed it at Copilot Enterprise Search, the version of the assistant built to look through company data such as emails, meetings, and documents in SharePoint or OneDrive. Varonis published a proof of concept rather than catching the attack in the wild, and Microsoft has since fixed the flaw on its own servers. Even the severity score was contested: Microsoft rated it 6.5 out of 10 while the U.S. National Vulnerability Database put it at 7.5. BleepingComputer and The Hacker News both reported the findings on June 15.
The clever part is the chain of three weaknesses, each one opening the door for the next. The first is parameter-to-prompt injection, or P2P. The q parameter in a Copilot search URL (the slot meant to hold the words you are searching for) is read by Copilot as instructions, not merely as a query. An attacker writes a URL that quietly tells Copilot to find an email, take its subject line, and tuck that text inside the address of an image. The second is a rendering race condition. Copilot streams its answer as it writes, and Microsoft's safety step wraps risky output in code blocks so the browser treats it as plain text, but that wrapping only lands after the answer is finished. While the response is still streaming, the browser already sees the image tag and reaches out to load it. The guardrail arrives a moment too late. The third is a Content Security Policy bypass using Bing. The page only permits images from approved domains, and Bing sits on that approved list. Bing's reverse-image-search endpoint will fetch whatever address you hand it, from its own servers, which is a classic server-side request forgery (SSRF, where a server is tricked into making a request on the attacker's behalf). The stolen text, packed into that address, surfaces in the attacker's logs as a request such as /Your_Security_Code_847291/img.png.
The prize is whatever the victim can see, and that is the problem. Email subjects and bodies routinely carry one-time passcodes, MFA codes (multi-factor authentication, the second login step such as a code texted to a phone), and password-reset links, often still valid for a few minutes. That window is long enough for an attacker watching the log to seize an account before its owner notices anything. The same access reaches calendar invites, meeting notes, and any SharePoint or OneDrive file Copilot has indexed, which is where salary figures, earnings numbers, and deal plans tend to live. The uncomfortable part for your team is that you cannot patch this one yourself. Copilot Enterprise is a managed service, so the broken pieces sit on Microsoft's side, and your control narrows to watching and limiting rather than fixing. The shift worth carrying into a planning meeting is what the AI layer did to old bugs. Server-side request forgery and sanitizer races are decade-old problems that were dead ends in this setting, right up until prompt injection handed an attacker a way to plant a payload inside the assistant's own output. The novelty is not a new bug. It is a new road to bugs everyone had written off as unreachable.
Microsoft has closed SearchLeak, and Varonis only ever ran it as a proof of concept, so this particular link is not something to lose sleep over. The lesson is the one that outlives the patch. As Copilot and tools like it settle into the center of how work gets done, each of them reads content that other people can shape, and that reading can be steered. The question for your next security review is not whether your AI assistant has been patched. It is what that assistant can see, who is able to point it, and whether anything in your monitoring would notice if it quietly read your inbox to someone else. You can follow the fix in Microsoft's advisory for CVE-2026-42824 and the scoring detail in the National Vulnerability Database entry.


