SearchLeak: How One Click Exfiltrated Microsoft 365 Data

A single interaction with a legitimate Microsoft domain has exposed a critical flaw in how enterprise AI systems process user queries. Security researchers recently uncovered a vulnerability chain that allows an attacker to extract sensitive corporate data without requiring the victim to type a prompt or click a second time. The flaw, designated as SearchLeak, demonstrates how traditional security boundaries fail when artificial intelligence bridges the gap between user input and backend data access. This discovery forces a reevaluation of how organizations trust AI intermediaries to handle sensitive information.

Security researchers at Varonis Threat Labs uncovered SearchLeak, a critical vulnerability chain in Microsoft 365 Copilot Enterprise Search. The flaw enables one-click data exfiltration through a legitimate microsoft.com link, bypassing traditional filters by chaining prompt injection, rendering race conditions, and server-side request forgery via Bing. Microsoft patched the backend flaw, requiring no customer action.

What is SearchLeak and how does it function?

Security researchers at Varonis Threat Labs recently disclosed a complex vulnerability chain targeting Microsoft 365 Copilot Enterprise Search. The flaw, tracked as CVE-2026-42824, allows an attacker to extract sensitive corporate data with a single click. Microsoft rated the issue as critical under its internal severity framework, though the standard CVSS v3.1 base score sits at 6.5. The vulnerability requires no manual prompt input from the victim and operates entirely through a crafted URL on a legitimate microsoft.com domain. Traditional anti-phishing tools and URL filtering systems rarely flag such links because the domain itself appears completely trustworthy.

Varonis researcher Dolev Taler demonstrated the attack vector as a working proof of concept. Microsoft subsequently mitigated the flaw on its backend infrastructure. Because Copilot Enterprise operates as a fully managed service, no customer action was required to close the security gap. The discovery highlights how enterprise AI systems inherit the full permissions of the signed-in user. Any data accessible through Microsoft Graph becomes a potential target when the AI processes a malicious query. This architectural design fundamentally changes how security teams must evaluate risk.

The critical rating assigned by Microsoft reflects the potential impact on corporate data rather than the technical complexity of the exploit. Attackers can target one-time passwords, multi-factor authentication tokens, and sensitive document metadata. The ease of deployment means that even novice threat actors could replicate the technique. Organizations must recognize that a single compromised link can trigger a complete data extraction sequence. The speed of the attack leaves little time for automated response systems to intervene.

Why does the parameter-to-prompt injection matter?

The entry point for this attack chain lies in the q parameter of the Copilot Enterprise Search URL. This parameter is designed to accept natural language queries from users. Varonis researchers identified a parameter-to-prompt injection weakness that allows attackers to embed executable instructions directly into the query string. When the victim clicks the malicious link, the AI system reads the injected text as a direct command rather than a search term. The model then searches the user mailbox, extracts specific data fields, and formats the output for transmission. This behavior bypasses standard input validation because the AI treats the query as legitimate operational text. Organizations must recognize that natural language interfaces no longer function as simple search boxes.

The implications extend far beyond a single software product. Artificial intelligence systems integrated into enterprise workflows inherit the access permissions of their users but introduce new attack surfaces that existing security tooling was not built to detect. A URL filter that checks domain reputation would pass a link to microsoft.com without hesitation. A content security policy that trusts Bing would allow the exfiltration request to proceed. Neither tool was designed to account for an AI intermediary that converts URL parameters into executable instructions. Security teams must adapt their monitoring strategies accordingly.

Traditional web security models assume that user input remains static until processed. Prompt injection breaks this assumption by treating input as dynamic code. The AI model acts as a compiler that translates text into backend actions. This shift requires security architects to rethink how they validate and sanitize user data. Input validation must now account for semantic meaning rather than just character encoding. The industry is still developing standardized methods to detect when a query crosses the line from data retrieval to command execution.

How do the three chained vulnerabilities interact?

The attack relies on three distinct weaknesses that function as a single coordinated chain. The first component involves the race condition in how Copilot renders its response. Microsoft guardrails wrap output in code blocks to prevent browser execution, but the wrapping occurs after the AI finishes generating text. The browser renders the streaming response as it arrives, allowing an injected image tag to fire its request before the sanitizer runs. By the time the output is neutralized, the outbound request has already left the network. This timing gap is critical to the success of the exfiltration attempt.

The second component exploits a server-side request forgery path through Bing. The content security policy on m365.cloud.microsoft blocks images from arbitrary domains but explicitly allowlists *.bing.com. Bing Search by Image endpoint accepts an image URL and fetches it server-side to analyze it. Attackers point that fetch at their own server with stolen data encoded in the URL path. Bing retrieves the data on the attacker behalf, completely bypassing browser content security policies because the request originates from Bing infrastructure. The attacker simply reads the stolen information from their own server logs.

The reach of the attack matched whatever the signed-in user could access through their Microsoft Graph permissions. The most time-sensitive targets were one-time codes, multi-factor authentication tokens, and password reset links sitting in the inbox. Calendar invites, meeting notes, and any SharePoint or OneDrive files that Copilot had indexed were also within reach. The sequence works entirely in the background without requiring additional user interaction. This demonstrates how prompt injection transforms old web vulnerabilities into potent data theft mechanisms.

The combination of these three flaws creates a seamless pipeline for data extraction. Each component compensates for the limitations of the others. The race condition ensures the request leaves before mitigation. The CSP allowlist ensures the request is not blocked. The prompt injection ensures the AI executes the malicious logic. Security teams must address all three layers simultaneously to prevent similar attacks. Patching a single component will not stop the chain from functioning.

What does this reveal about enterprise AI security?

SearchLeak represents the second time Varonis has demonstrated this specific pattern against Copilot. Dolev Taler previously disclosed the Reprompt attack against Copilot Personal, which used the same one-click technique to exfiltrate data. That vulnerability was reported to Microsoft in August 2025 and patched in January 2026. SearchLeak held up against Enterprise Search despite the additional guardrails that tier is supposed to enforce. The same class of bug appeared independently in EchoLeak, a zero-click Copilot vulnerability disclosed by Aim Security in 2025. Together, these three disclosures establish a clear pattern.

Prompt injection is the new ingredient that makes old web vulnerabilities dangerous again. Server-side request forgery and HTML sanitizer race conditions are well-understood bug classes that security teams have been mitigating for years. What makes them potent in Copilot is the prompt injection layer, which creates a path to trigger them through a URL parameter designed to accept natural language. The AI system does not just search, it follows instructions embedded in the query. Those instructions can include data exfiltration logic that would be impossible through a conventional search interface. The fundamental tension between broad data access and strict security remains unresolved.

The rapid adoption of generative AI tools has outpaced the development of corresponding security frameworks. Many enterprises are exploring cost-effective AI access models to manage rising operational expenses. Companies are deploying AI assistants to improve productivity without fully understanding the attack surface expansion. Each new integration point creates opportunities for prompt injection and data leakage. Security teams are often forced to react to vulnerabilities after they are disclosed rather than designing proactive defenses. The industry needs standardized testing protocols for AI systems before they reach production environments. Until then, organizations must assume that every AI interface is a potential entry point.

How should organizations respond to emerging prompt injection threats?

For organizations running Microsoft 365 Copilot Enterprise, Varonis recommends watching for Copilot Search URLs carrying encoded payloads or HTML in the q parameter. Security teams should also monitor for unusual outbound requests to Bing image endpoints. Tightening data access governance so Copilot indexes less content would shrink what any future vulnerability could reach. Microsoft fixed SearchLeak before it was exploited in the wild, and the company says there is no evidence of malicious use. However, the rapid expansion of Copilot into enterprise and public-sector environments means the attack surface is growing faster than the guardrails.

Three disclosures in six months, each bypassing protections the previous fix was supposed to establish, suggests the fundamental tension between giving an AI tool broad data access and keeping that data secure remains unresolved. Security architectures must evolve beyond simple domain reputation checks and content security policies. Organizations need to implement strict output validation, limit AI query scope, and monitor for parameter-to-prompt injection attempts. The integration of artificial intelligence into daily workflows requires a proactive security posture that anticipates how models interpret user input. Relying on legacy web security controls will no longer suffice.

Implementing zero-trust principles specifically for AI interactions is becoming a necessity. Data classification systems must identify sensitive information before it enters the AI pipeline. Access controls should be dynamically adjusted based on the context of the query. Security operations centers must develop new detection rules tailored to AI traffic patterns. The goal is to create barriers that function regardless of how the AI processes the input. Continuous monitoring and regular penetration testing will remain essential components of an effective defense strategy.

What is the long-term outlook for AI-driven security?

The intersection of artificial intelligence and enterprise security continues to produce unexpected attack vectors. As companies adopt more AI assistants, the boundary between user interface and backend execution blurs. Security teams must treat AI queries as executable code rather than simple text input. This shift requires continuous monitoring, strict data minimization, and robust sandboxing for AI operations. The industry must develop standardized testing frameworks for prompt injection before vulnerabilities become widespread. Organizations that adapt their security strategies now will be better positioned to handle the next generation of AI-related threats.

Future developments in AI safety will likely focus on isolating model execution from data access. Researchers are exploring methods to validate AI behavior in real time without disrupting workflow efficiency. The goal is to ensure that AI systems remain useful tools rather than becoming vectors for data loss. Companies that prioritize security by design will maintain a competitive advantage. The landscape will continue to evolve as both attackers and defenders refine their approaches. Vigilance and architectural rigor will determine which organizations survive the next wave of AI-driven vulnerabilities.