Services
Industries
About
Insights
Support
Contact
Book a Free ReviewCall 1300 053 948
HomeInsights / news › SearchLeak: the one-click Microsoft 365 Copilot flaw
AI

SearchLeak: how one click could have leaked your Microsoft 365 Copilot data

Insights · Key IT · By Elias Koziris, Owner & Technician · · Updated 16 June 2026

A one-click flaw (CVE-2026-42824) could have pulled emails, files and MFA codes out of Microsoft 365 Copilot. Microsoft fixed it — here's what it means for your AI rollout.

A single click on a genuine microsoft.com link could have quietly handed an attacker your emails, calendar, files — even live MFA codes — straight out of Microsoft 365 Copilot. Microsoft has already fixed it. The lesson it leaves behind is the part worth your attention.

In June 2026, researchers at Varonis Threat Labs revealed a flaw they named SearchLeak, tracked as CVE-2026-42824 and rated critical. It targeted Microsoft 365 Copilot Enterprise Search, and what made it unsettling was how little the victim had to do: no password, no typed prompt, no second click — just one click on a link that pointed to a real Microsoft domain, so the usual phishing and link filters had no reason to flag it.

The reassuring part first: this was a proof of concept by security researchers, not an attack seen in the wild, and Microsoft fixed it on its own back end at the start of June 2026. Because Copilot is a managed service, there was nothing for businesses to patch — you are already protected against this specific flaw. So why write about it? Because SearchLeak is an early, clear example of how switching on AI changes the shape of your security risk, and that part is on all of us.

What actually happened, in plain English

SearchLeak chained three weaknesses together, each one setting up the next.

1. The AI read a web link as an instruction. Copilot Enterprise Search takes your question from part of its web address. Normally that is just your search words — but the researchers found Copilot would treat text placed there as commands ("search this mailbox, take an email subject, and tuck it inside an image") rather than as a simple query. The victim types nothing; they click a crafted link and Copilot quietly does the work. Varonis calls this parameter-to-prompt injection.

2. A timing gap let the data slip out. Microsoft wraps Copilot's answers in code formatting so the browser treats any markup as plain text. But that wrapping happens after Copilot finishes writing, while the browser is already drawing the response as it streams in. An injected image tag fired its request in that window, before the safety net dropped.

3. Microsoft's own service carried the data away. The page only allows images from Microsoft-approved domains — and Bing is on that list. Bing's "search by image" feature fetches an image address from its own servers, so the researchers pointed it at their server with the stolen text hidden in the address. Bing fetched it, the data left, and the browser's protections never applied, because the request came from Microsoft's infrastructure rather than the user's browser.

In short: you click, Copilot reads your data, the answer hides a snippet — say, an email subject — inside an image link, and Microsoft's own image service delivers it to the attacker, who simply reads it off their server logs.

Why this matters more than the average bug

Two things make it worth a moment of your time.

First, Copilot can reach whatever you can. It works through your Microsoft 365 access, so anything you can open — inbox, calendar, meeting notes, and every SharePoint or OneDrive file it has indexed — is within reach, and an attacker inherits that reach without ever logging in. The most time-sensitive target is the inbox: one-time passcodes, MFA codes and password-reset links that are often still valid for a few minutes — long enough to take over an account before anyone notices.

Second, this is an old trick with a new key. Server-side request forgery and output-sanitising timing bugs have been around for years. What revived them is prompt injection — getting an AI to follow instructions hidden in ordinary-looking input. It is the same pattern behind EchoLeak (CVE-2025-32711), a zero-click Copilot data-leak flaw disclosed in 2025. As AI features spread, expect more of these: familiar web bugs reached through a brand-new front door.

The real takeaway for your business

You do not need to do anything about SearchLeak itself — it is fixed. But it is a useful prompt to ask a bigger question: as we switch on Copilot and other AI tools, who has checked what they can actually see, and who is watching how they behave?

Three things make the difference, and none of them are about this one bug.

Govern what Copilot can reach. Copilot surfaces whatever a person already has permission to open — including the over-shared folder, the "everyone" SharePoint site, and the old files nobody ever cleaned up. Tightening permissions to least privilege does not just tidy your data; it shrinks the blast radius of any future leak. For most businesses this is the single highest-value step to take before — or right after — turning Copilot on, and it is exactly what we cover when we help you use AI safely.

Watch for the unusual. The defence against a managed-service flaw you cannot patch is detection — spotting odd Copilot activity or unexpected outbound requests and stepping in quickly. That is what a security operations centre is for, and ours runs in-house, around the clock.

Treat an AI rollout as a security project, not just an IT switch. A Microsoft Copilot deployment touches your most sensitive data, so it deserves the same care as any other security change: review access first, set guardrails, brief your people, and keep an eye on it once it is live.

And the timeless one: be wary of links, even ones that appear to go to a name you know. SearchLeak worked precisely because the link looked completely legitimate.

FAQ

Frequently asked questions

Do we need to patch anything for SearchLeak?

No. Microsoft fixed it on its own servers at the start of June 2026. Because Microsoft 365 Copilot is a managed service, the parts that failed sit on Microsoft's side, not yours — there is nothing to install or reconfigure for this specific flaw.

Was anyone actually attacked?

Not that has been reported. Varonis Threat Labs built it as a proof of concept and disclosed it responsibly, and it was fixed before the details were made public. The value is in the lesson, not a live threat.

Does this mean Microsoft 365 Copilot is not safe to use?

Copilot is a genuinely useful tool, and Microsoft fixed this quickly. The point is not to avoid AI — it is to roll it out with the access controls and monitoring any sensitive system deserves. With proper data governance behind it, Copilot is something we help Melbourne businesses adopt with confidence.

What is the one thing to do before turning on Copilot?

Review who can access what. Copilot can only surface data a person already has rights to, so fixing over-sharing and tightening permissions first means Copilot — and anyone who ever misuses it — sees far less.

Keep exploring

Related Key IT services

AI for your businessMicrosoft CopilotManaged cybersecurity
Keep reading

More insights

AI

What is an AI MSP?

What a managed AI service actually does, why it matters, and how a security-first approach makes AI…

Read article →AI

Is Microsoft Copilot worth it?

An honest look at Microsoft 365 Copilot for Melbourne SMBs — what it does, what it costs, the data…

Read article →AI

Microsoft Copilot Cowork

Microsoft Copilot Cowork lets AI plan and carry out multi-step work across Microsoft 365 — with…

Read article →

Book your free IT & Cyber Security Review

See exactly where your IT and security stand, and what to fix first. No jargon, no obligation.

Book a Free ReviewCall 1300 053 948