One-Click Microsoft Copilot Flaw Could Have Exposed Emails and Company Files
Cybersecurity researchers have revealed how a single click on a specially crafted Microsoft link could have turned Microsoft 365 Copilot Search into a channel for stealing sensitive business data.
The vulnerability chain, named SearchLeak by Varonis Threat Labs, combined an artificial intelligence prompt weakness with two established web security flaws. A successful attack could have exposed emails, authentication codes, meeting information and files stored in services such as SharePoint and OneDrive.
Microsoft has since fixed the issue, which is tracked as CVE-2026-42824. The available vulnerability record indicates that no exploitation had been detected when the flaw was assessed.
A trusted Microsoft link concealed the attack
The attack began with a URL pointing to a legitimate Microsoft 365 domain. A cybercriminal could have distributed the link through email, Microsoft Teams, Slack, WhatsApp or another messaging service.
After a signed-in Microsoft 365 Copilot user clicked it, Copilot Search interpreted part of the web address as an instruction rather than an ordinary search term. The victim did not need to install software, approve a plugin or enter information into Copilot.
Because the link used a genuine Microsoft domain, it may have appeared less suspicious to the recipient and could have avoided some traditional phishing protections that rely heavily on domain reputation.
The attack did not give Copilot entirely new permissions. Instead, it abused the access already held by the victim. This meant the potential consequences depended heavily on the person who clicked the link. An employee with access to only a small collection of files might expose limited information, while an executive or senior administrator could place much more valuable material at risk.
Microsoft 365 Copilot Search is designed to find information across emails, files, chats, meetings and connected business systems, while respecting the permissions assigned to each user. That broad visibility is useful for legitimate work, but it also made the service a valuable target for data theft.
Three weaknesses created the data theft chain
SearchLeak depended on three separate vulnerabilities working together.
The first was a parameter-to-prompt injection flaw. Microsoft 365 Copilot Search allowed a search request to be included within a URL parameter. Researchers found that carefully constructed text in this parameter could be treated as an instruction for the AI system to execute automatically.
An attacker could therefore create a link directing Copilot to search the victim’s mailbox or organisational data and place selected information inside what appeared to be an image request.
The second stage involved the way Copilot displayed its response. The service had a protection intended to prevent potentially dangerous HTML from being interpreted by the browser. However, researchers found that the response was displayed progressively while Copilot was still generating it.
During this brief period, an image element could be processed before the security filter converted the response into harmless text. By the time the protection took effect, the browser had already attempted to load the image.
The final stage bypassed Microsoft’s Content Security Policy, which restricted the websites from which images could be loaded. Direct requests to a cybercriminal’s server would normally have been blocked, but Microsoft’s Bing domain was permitted.
Researchers used a Bing image-search function that could retrieve an image from a user-supplied address. The victim’s browser contacted the trusted Bing service, which then attempted to fetch an address controlled by the attacker. Sensitive information placed within that address could consequently appear in the attacker’s server logs.
Each flaw was necessary. The AI weakness generated the malicious instruction, the rendering problem allowed the browser request to occur, and the Bing function provided a route around the browser’s security restrictions.
Authentication codes and confidential records were at risk
Varonis demonstrated how the technique could extract an email subject containing a security code. The same approach could potentially have been adapted to search for other information available through Copilot.
The exposed material could have included email content, password reset information, one-time authentication codes, calendar details, meeting notes and private company documents. Files containing financial results, salaries, acquisition plans or other commercially sensitive information could also have been vulnerable when the targeted user had permission to access them.
Microsoft 365 Copilot Search can also work with third-party systems through connectors. In organisations using these integrations, the potential search area may extend beyond Microsoft services into platforms such as Salesforce, ServiceNow and Confluence.
The vulnerability is officially recorded as an information disclosure issue affecting Microsoft 365 Copilot. Microsoft assigned it a CVSS score of 6.5, placing it in the medium severity category, while the US National Vulnerability Database calculated a higher score of 7.5. Both assessments recognised the potential for a serious loss of confidentiality.
AI adds new power to familiar security bugs
SearchLeak illustrates how generative AI can increase the impact of vulnerabilities that security professionals have understood for years.
HTML injection, race conditions and server-side request forgery are not new forms of attack. What changed was the presence of an AI assistant capable of interpreting natural-language instructions and searching through a user’s business information.
Instead of merely exploiting a web page, an attacker could attempt to manipulate the AI into finding valuable data on their behalf. The system’s ability to understand meaning and locate relevant information effectively performed part of the attacker’s work.
The discovery followed earlier Varonis research into Reprompt, a separate one-click vulnerability affecting the personal version of Microsoft Copilot. That attack also used a prompt hidden inside a Microsoft link, although its technical process and affected service differed from SearchLeak. Microsoft also patched that issue.
Microsoft has closed the known attack path
Microsoft remediated SearchLeak before Varonis published the full technical details. As Microsoft 365 Copilot is a hosted service, the fix was applied by Microsoft rather than distributed as a conventional software update for individual users.
Security teams can still use the disclosure to improve their monitoring. Suspicious Copilot Search addresses may contain unusually long or encoded search parameters, HTML instructions or requests to place data inside image links.
Organisations should also examine how much information employees can access through Microsoft 365. Copilot generally follows existing permissions, which means excessive access and poorly governed SharePoint sites can increase the impact of any future AI-related vulnerability.
Users should remain cautious about unexpected Microsoft 365 links, particularly those containing lengthy search instructions. Copilot beginning an unrequested search of email or organisational data should also be reported to an employer’s security team.
SearchLeak has been fixed, but its wider lesson remains. As AI assistants become deeply connected to workplace information, vulnerabilities no longer need to steal credentials before reaching valuable data. In some cases, manipulating the assistant itself may be enough.
One trusted-looking link can be enough to expose sensitive emails, files and authentication codes. The Hack Academy’s online training programme teaches you how modern AI-powered attacks work, how to recognise malicious links and how to respond before data is stolen.
Strengthen your cybersecurity knowledge and make yourself a harder target. Start The Hack Academy’s online training programme today.
Photo Credit: DepositPhotos.com