A single click on a Microsoft link could have drained your inbox. Here's how SearchLeak worked.

TL;DRVaronis found three chained bugs in Microsoft 365 Copilot Enterprise Search that let an attacker steal data with one click on a microsoft.com link.

Security researchers at Varonis Threat Labs have disclosed a vulnerability chain in Microsoft 365 Copilot Enterprise Search that could have let an attacker steal emails, calendar entries, and indexed files with a single click. The attack, which Varonis calls SearchLeak, worked through a crafted URL on a legitimate microsoft.com domain, meaning traditional anti-phishing and URL filtering tools were unlikely to flag it. Microsoft assigned CVE-2026-42824 on June 4 and rated it critical under its own severity system, though the CVSS v3.1 base score came in at 6.5, a medium rating.

The victim never typed a prompt, entered a password, or clicked a second time. Varonis researcher Dolev Taler, who is credited in Microsoft’s advisory, demonstrated the attack as a proof of concept. Microsoft mitigated the flaw on its backend, and because Copilot Enterprise is a managed service, no customer action was required.

SearchLeak chains three distinct weaknesses, each insufficient on its own but devastating in sequence. The entry point is the q parameter in the Copilot Enterprise Search URL, which is meant for a natural-language query. Varonis calls this parameter-to-prompt injection: an attacker writes a URL that tells Copilot to search the victim’s mailbox, extract a piece of data like an email subject line, and embed it inside an image URL.