A critical vulnerability chain dubbed SearchLeak in Microsoft 365 Copilot Enterprise could allow attackers to steal sensitive data from a target's mailbox, OneDrive, or SharePoint account through a specially crafted URL.
The exfiltrated information could be email content (e.g., access codes, passwords), calendar events and meeting details, documents, and other content accessible through Copilot Enterprise Search.
Microsoft addressed SearchLeak at the beginning of the month and assigned it the CVE-2026-42824 identifier with a maximum severity, critical rating.
Three-stage attack chain
Researchers at the enterprise data security company Varonis developed SearchLeak by chaining three flaws that, individually, are insufficient to enable a meaningful attack.
