Microsoft 365 Copilot's SearchLeak Flaw Could Steal Emails and MFA Codes in a Single Click
On 15 June 2026, researchers at Varonis Threat Labs disclosed SearchLeak — a now-patched vulnerability chain in Microsoft 365 Copilot Enterprise tracked as CVE-2026-42824. A single click on a crafted Microsoft-hosted link was enough for an attacker to instruct Copilot to silently search the victim's mailbox, calendar, and indexed SharePoint content, then route the results to a server under attacker control. No typing, no download prompt, no warning dialog — just the quiet exfiltration of emails containing access codes, passwords, and MFA tokens. Microsoft patched the flaw server-side before public disclosure, so no user action is required. But the mechanics of how SearchLeak worked reveal something important about the security assumptions baked into enterprise AI tools — and what Australian organisations still need to get right.
Disclosure: This post contains affiliate links. We only recommend tools we've researched and trust. If you purchase through our links, we may earn a commission at no extra cost to you.
How Varonis Uncovered the SearchLeak Attack Chain
Varonis Threat Labs first identified SearchLeak while conducting routine security research into Microsoft 365 Copilot Enterprise, a tier of Microsoft's AI assistant that integrates directly with an organisation's email, calendar, SharePoint, OneDrive, and Teams data. The researchers reported their findings to Microsoft, and the company deployed a server-side fix globally across all Copilot Enterprise instances by the beginning of June 2026 — roughly two weeks before public disclosure on 15 June.
Microsoft assigned the vulnerability CVE-2026-42824 and classified it as Critical severity. The National Vulnerability Database records a CVSS base score of 7.5 — notably higher than the 6.5 figure in Microsoft's own advisory, a discrepancy consistent with vendors sometimes assigning lower scores than independent databases. Microsoft's exploitability rating and Critical classification suggest the company's internal assessment of real-world risk exceeded what the raw CVSS number conveys.
What Varonis found is not a single bug but a three-weakness chain. Individually, each component is insufficient to produce a meaningful attack. Chained together, they enabled an attacker to craft a link hosted on a legitimate Microsoft domain — one a recipient would have no particular reason to distrust — that, when clicked, triggered Copilot to search the victim's entire accessible data estate and send the results externally. Varonis published a proof-of-concept to accompany the disclosure, and Microsoft has confirmed no evidence of in-the-wild exploitation prior to patching.
The data exposed to this attack chain included email content (particularly emails carrying one-time passcodes, temporary passwords, and account setup links), calendar events and meeting details, documents indexed from SharePoint and OneDrive, and other content accessible through Copilot Enterprise Search. For a business user, Copilot's search scope is effectively everything they can access inside the organisation — which is precisely what made this flaw so consequential.
What SearchLeak Means for Australian Microsoft 365 Tenants
Microsoft 365 is the dominant productivity suite across Australian businesses of all sizes. Small and medium businesses use it for email, file storage, and team collaboration. Federal and state government agencies run on it. Law firms, accounting practices, healthcare providers, and logistics companies have migrated their document estates into SharePoint and OneDrive. All of them are potential Copilot Enterprise tenants, and all of them would have been in scope if SearchLeak had been exploited before patching.
The Australian context matters here for two reasons. First, Australian organisations are disproportionately targeted by business email compromise (BEC) — attacks that often begin with stolen email credentials or account takeovers. The Australian Signals Directorate's Annual Cyber Threat Report consistently places BEC among the highest-impact cyber threats facing Australian businesses by financial loss. A flaw that lets an attacker silently harvest email content — including access codes and temporary credentials — is directly aligned with BEC attack chains.
Second, SearchLeak would have carried significant Privacy Act obligations for affected Australian entities. Under the Notifiable Data Breaches scheme, organisations must notify the Office of the Australian Information Commissioner and affected individuals when a data breach is likely to result in serious harm. An attacker exfiltrating emails containing passwords and MFA codes from an Australian business's Copilot environment would likely meet that threshold. That Microsoft caught and patched this before exploitation is good news — but it reinforces that AI tools with broad data access create obligations Australian organisations need to understand before they enable them.
It is worth noting that Copilot Enterprise, the affected product, is distinct from the basic Microsoft Copilot features bundled into Microsoft 365 Business and Enterprise subscriptions. The Enterprise tier provides the deep search integration — across mailboxes, SharePoint, and Teams — that made SearchLeak possible. Organisations running standard M365 plans without Copilot Enterprise Search enabled would have had a smaller attack surface, though Microsoft's server-side fix applied globally regardless of tier.
Inside the Three-Stage Exploit: Prompt Injection, HTML Race Condition, and SSRF Bypass
Stage 1 — Parameter-to-Prompt Injection
Copilot Enterprise Search accepts a query parameter in the URL — specifically, the q parameter — and passes its value directly to Copilot as an executable prompt. Varonis found that by crafting a URL with a malicious instruction in q, an attacker could tell Copilot what to search for and what to do with the results, without the victim ever interacting with the search interface beyond clicking the link. This is what Varonis calls a Parameter-to-Prompt (P2P) injection — a relatively new class of AI-specific vulnerability distinct from the prompt injection attacks that target LLM chatbots. The victim clicks a link that looks like any other Microsoft 365 URL; Copilot interprets the query parameter as an instruction and begins executing it against the victim's data.
Stage 2 — HTML Rendering Race Condition
The P2P injection could instruct Copilot to locate and format sensitive data, but moving that data off Microsoft's infrastructure required an exfiltration mechanism. Varonis identified a race condition in how Copilot rendered HTML in its responses: an <img> tag embedded in the AI-generated output fired before the output sanitiser had an opportunity to strip it. Because the image tag's src attribute can include URL parameters, an attacker could embed an exfiltration URL in the image request — Copilot would render the tag, the browser would attempt to load the "image" from an attacker-controlled server, and the stolen data would travel as URL parameters in that request. The sanitiser, arriving milliseconds too late, saw nothing to block.
Stage 3 — Content Security Policy Bypass via Bing SSRF
One obstacle remained: Microsoft's Content Security Policy (CSP) for the Copilot interface blocked direct outbound requests to arbitrary external servers. An <img> tag pointing to https://attacker.com would be refused. Varonis circumvented this by routing the exfiltration request through Bing's image-search endpoint, which is already allowlisted in Microsoft's CSP. Bing's endpoint performed a server-side fetch to the attacker-controlled URL on behalf of the browser — a server-side request forgery (SSRF) using Microsoft's own infrastructure as a relay. The CSP check saw a request to a trusted Microsoft domain; the stolen data quietly reached the attacker's server. Chained together, these three weaknesses turned Copilot into an unwitting data courier that operated entirely within trusted Microsoft infrastructure, generating no obvious alerts at the client side.
What Australian Organisations Should Do Now — Even Though the Patch Is Live
Microsoft's server-side fix is deployed globally and requires no action from customers. If your organisation runs Microsoft 365 Copilot Enterprise, you are already on the patched version. That said, SearchLeak exposed several underlying practices that leave organisations unnecessarily exposed to this class of attack, and patching one CVE does not fix those practices.
Audit what Copilot can access. By default, Copilot Enterprise Search indexes everything the licensed user can access — their full mailbox, all SharePoint sites they have read permissions on, their OneDrive, and indexed Teams channels. Many organisations enable Copilot for productivity reasons without reviewing the data estate it inherits. Take the time to map what sensitive data sits in those scopes. If a contractor or low-privilege staff member's Copilot licence can reach confidential HR files or financial records via SharePoint permissions they were never intended to hold, that is a privilege hygiene issue that exists independently of any AI vulnerability.
Reduce sensitive credentials in email. SearchLeak's most damaging exfiltration target was emails containing access codes, one-time passwords, and temporary credentials — exactly the content generated by "forgot password" flows, account invitations, and multi-factor authentication systems that email verification codes. These emails are valuable precisely because they contain functional credentials at the moment they're sent. The practice of emailing passwords and one-time codes has always been a risk; SearchLeak demonstrated that an AI tool with mailbox access amplifies that risk by making mass retrieval trivial. Australian organisations should evaluate which systems send credentials by email and replace email-based delivery with more controlled flows where feasible.
For individual credential hygiene, a password manager removes the need for passwords to travel through email at all. When credentials are generated and stored in a vault — never copy-pasted into an email, never written in a chat message — they are not sitting in the mailbox for Copilot (or an attacker) to find. NordPass offers zero-knowledge encrypted storage for both personal and team credentials, with secure sharing features designed specifically to replace the habit of sending passwords through email or messaging apps. For Australian SMBs already running Microsoft 365, pairing it with a password manager addresses the exact data class SearchLeak was designed to steal.
Review Conditional Access policies. Microsoft's Conditional Access system allows organisations to restrict which devices, locations, and conditions can authenticate to M365 services. Strong Conditional Access policies significantly reduce the blast radius of any account-level compromise — even if an attacker obtained credentials through a flaw like SearchLeak, they would need to satisfy the Conditional Access conditions to use them. Organisations that have not yet configured Conditional Access beyond the defaults should treat this disclosure as a prompt to do so.
AI Tools and the New Credential Exposure Surface
SearchLeak is not an isolated incident — it is the latest example of a pattern that will intensify as AI tools gain deeper access to enterprise data. Earlier in 2026, researchers demonstrated similar prompt injection and data exfiltration techniques against other AI assistants integrated with email and productivity platforms. The common thread is that AI tools designed to be helpful — to find information, summarise documents, draft replies — are also tools that can be instructed by an attacker to do the same things against the victim's interests. The attack surface is not the AI itself but the gap between what the AI is allowed to access and what it should be trusted to handle under adversarial instruction.
The ASD's Essential Eight Maturity Model does not yet address AI-specific attack vectors in detail, but several of its existing controls are directly applicable. The Patch Applications control — specifically, maintaining timely patches for third-party software including cloud-delivered applications — would flag Copilot Enterprise as a priority target given its broad data access. The Restrict Administrative Privileges control applies to the principle of minimising what Copilot can reach: a user with unnecessarily broad SharePoint read access amplifies their Copilot risk. The Multi-Factor Authentication control mitigates the downstream impact of credential theft, though SearchLeak demonstrated that MFA codes themselves can be a target when they transit email.
For Australian businesses evaluating AI productivity tools, the SearchLeak disclosure offers a useful checklist before enabling any AI assistant with broad data access:
- What data does this tool index, and have permissions been reviewed to ensure it reflects least-privilege?
- Can the tool be instructed via external input (links, embedded content, uploaded files) in ways that could be weaponised?
- What does the vendor's patching track record look like for the AI-specific components — not just the underlying platform?
- Does your incident response plan account for AI-assisted data exfiltration that generates no traditional alert signatures?
Microsoft's handling of SearchLeak — patching before public disclosure, accepting the vulnerability report through coordinated disclosure, and publishing a CVE with technical detail — is the right model. Varonis's decision to wait for a fix before publishing is also the right model. What concerns security practitioners is that P2P injection, HTML rendering races, and SSRF-based CSP bypasses are not problems unique to Microsoft: any AI search tool that accepts URL parameters and renders AI-generated HTML is a potential candidate for an identical chain. Until AI vendors routinely audit their tools against this class of vulnerability, Australian organisations should extend the same patch-and-audit discipline to their AI tooling that they already apply — or should apply — to their traditional software estate.
Keeping credentials out of email entirely remains one of the most durable mitigations available for this class of threat. When there are no passwords sitting in the mailbox, a Copilot-directed search for them returns nothing useful. NordPass for Teams provides a practical mechanism for Australian organisations to move credential sharing out of email and into an encrypted vault with access controls — reducing both the data available to a compromised AI assistant and the collateral impact of any future vulnerability in this class.
Related reading
- Criminals Used AI to Build the World's First Zero-Day 2FA Bypass — What Australian Businesses Must Know
- World Password Day 2026: Why AI and Infostealers Have Made Passwords Obsolete for Australians
Is Your Microsoft 365 Data Protected?
Check out our recommended security tools for a complete protection stack.
The views expressed in this article are editorial opinion and general information only. They do not constitute professional security, legal, or financial advice. Always verify details with primary sources and consult a qualified professional before making security decisions based on this content.