CVE-2026-42824 SearchLeak: One Malicious Link Made M365 Copilot Exfiltrate Email, MFA Codes, and Calendar Data

Timeline

1. 2026-06-15

   Varonis publishes SearchLeak research; Microsoft releases CVE-2026-42824 patch

2. 2026-06-15

   BleepingComputer, Dark Reading, SC Media, and CybersecurityNews cover the vulnerability

3. 2026-06-16

   Coverage expands; Microsoft confirms critical severity rating and patch availability

Technical breakdown

• Parameter-to-Prompt (P2P) injection: the Copilot Enterprise Search endpoint passed the URL q parameter directly to the AI as an executable instruction — allowing an attacker to craft a URL that instructs Copilot to search the victim's mailbox and embed results in an img tag pointing at attacker infrastructure.
• HTML rendering race condition: during Copilot's streaming output phase, the browser rendered raw HTML (including img tags) before Microsoft's post-processing sanitizer wrapped output in code blocks — creating a window where attacker-controlled markup fired outbound requests before sanitization engaged.
• SSRF via Bing allowlist: Bing's image search endpoint was on the Copilot CSP allowlist. Copilot's img requests pointed at Bing, which performed a server-side fetch to attacker-controlled URLs containing the stolen data — turning Bing into an exfiltration proxy that bypassed direct-origin restrictions.
• The three-stage chain required no plugins, no credentials, no special permissions, and only a single victim click. The victim's interface showed Copilot 'thinking' while the exfiltration completed invisibly in the background.
• Exposed data included email content, MFA/2FA codes, calendar events, meeting notes, SharePoint documents, and OneDrive files — the full surface of M365 Copilot Enterprise Search indexed content.