- Varonis uncovered “SearchLeak,” chaining three flaws in Microsoft 365 Copilot to enable one‑click data theft
- Attack exploited prompt injection, HTML race condition, and Bing SSRF to exfiltrate inbox, OneDrive, and SharePoint data
- Microsoft patched CVE‑2026‑42824 earlier this month, rating it 10/10 critical
Experts have uncovered a way to turn Microsoft 365 Copilot into a one-click data theft tool, capable of exfiltrating sensitive information from people’s inbox, OneDrive, and SharePoint instances.
The method was recently patched by Microsoft having been developed by security researchers Varonis, who dubbed the method SearchLeak, explaining it works by chaining together three vulnerabilities.
Separately, these three can’t do much harm, but together, they are strong enough to warrant a patch.
Exfiltration proxy
The three flaws being chained are a parameter-to-prompt injection, an HTML rendering race condition, and a content-security-policy (CSP) bypass enabled by Bing server-side request forgery (SSRF).
The attack starts when a victim clicks a specially crafted Microsoft 365 Copilot Enterprise Search link. The URL holds hidden instructions in the search query parameter, telling Copilot to search the victim’s emails, OneDrive files, SharePoint documents, or calendar data and include the results inside an image URL.
As Copilot generates its response, a race condition causes the browser to briefly render attacker-controlled HTML before Microsoft’s sanitization process completes. This allows an image tag containing the stolen data to execute.
Finally, the image request is routed through Bing’s “Search by Image” feature, and because of the SSRF flaw, Bing can fetch the attacker-controlled URL on the victim’s behalf and bypass Content Security Policy protections. The sensitive data embedded in the URL is thus transmitted to the attacker’s server, where they can recover it from web request logs
“Bing becomes an unwitting exfiltration proxy,” the researchers explained. “A classic SSRF, hiding in plain sight behind a CSP allowlist entry.”
Varonis says that on the victim’s side, all they see is a normal Copilot search session, and stressed that AI has transformed simple, easily addressed vulnerabilities, such as SSRF and HTML injection race conditions, into potent vulnerabilities.
Earlier this month, Microsoft patched the flaw, assigning it a maximum severity rating (10/10 critical), and tracking it as CVE-2026-42824.
Via BleepingComputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
https://cdn.mos.cms.futurecdn.net/5rDPr5xYvLwnkP7ZvpR2w3-2122-80.jpg
Source link
