{“lastseen”:”2026-06-15T15:16:05″,”description”:”\\n\\nA single click on a trusted Microsoft link could have let an attacker pull emails, calendar details, and indexed files out of Microsoft 365 Copilot Enterprise Search.\\n\\nResearchers at Varonis Threat Labs chained three bugs into a one-click exfiltration path they call **SearchLeak**. Because the link pointed to a real microsoft.com domain, traditional anti-phishing and URL filtering tools were unlikely to flag it.\\n\\nNo prompt, no password, no second click. Microsoft assigned CVE-2026-42824 and marked it critical; the CVSS scores ran lower and disagreed, 6.5 from Microsoft and 7.5 from the National Vulnerability Database. The company mitigated the flaw on its backend, so customers have nothing to worry about, and Varonis presented a proof-of-concept, not observed exploitation.\\n\\n## Three bugs, one click\\n\\nMicrosoft’s advisory describes the flaw as a command injection that can expose information over a network. In practice, SearchLeak stacks one AI-specific weakness on two old web bugs, and each link is needed for the next.\\n\\nThe entry point is the **q** parameter in the Copilot Enterprise Search URL. It is meant for a natural-language query, but Copilot reads whatever sits there as instructions, not just a search string.\\n\\nVaronis calls this **Parameter-to-Prompt injection**. An attacker writes a URL that tells Copilot to search the mailbox, take an email title, and place it inside an image URL. The victim types nothing. They click, and Copilot does the work.\\n\\nNext is a race condition in how the response renders. Microsoft’s guardrail wraps Copilot output in **\\u003c code\\u003e** blocks so the browser treats markup as text. The catch is timing: the wrapping happens after Copilot finishes generating, but the browser renders the stream as it arrives. The injected** \\u003cimg\\u003e** tag is drawn and fires its request before the sanitizer runs. By the time the output is neutralized, the request has already left.\\n\\nThe last link gets the data past the page’s Content Security Policy.\\n\\nThe CSP on m365.cloud.microsoft blocks images from arbitrary domains, but it allowlists *.bing.com. Bing’s \\”Search by Image\\” endpoint accepts an image URL and fetches it server-side to analyze it. Point that fetch at an attacker’s server with the stolen text encoded in the path, and Bing retrieves it. The browser’s CSP never applies, because the request comes from Bing’s infrastructure. Bing becomes the exfiltration proxy. The CSP allowlist does the hiding.\\n\\n\\n\\nPut together: the victim clicks, Copilot searches their data, the response embeds a value like an email subject in a Bing image URL, the browser calls Bing during streaming, and Bing pulls the attacker’s URL. The attacker reads it off their own logs, for example, a request for \/Your_Security_Code_847291\/img.png.\\n\\n## What an attacker gets\\n\\nCopilot Enterprise can reach whatever the signed-in user can, through their Microsoft Graph access, and the attacker inherits that reach without ever logging in.\\n\\nThe most time-sensitive prize sits in the inbox: one-time codes, MFA codes, and password-reset links, often still valid for a few minutes. A script that lifts those off a log while the window is open can take over an account before anyone notices.\\n\\nThe same access also reaches calendar invites, meeting notes, and any SharePoint or OneDrive file Copilot has indexed, where the salary data, earnings figures, and acquisition plans live.\\n\\nSearchLeak is the second time Varonis has shown this pattern. Varonis researcher Dolev Taler demonstrated the same one-click technique in an earlier Reprompt attack against Copilot Personal, and it held up against Enterprise Search despite the extra guardrails that tier is supposed to enforce.\\n\\nThe same pattern showed up in EchoLeak (CVE-2025-32711), the zero-click Copilot data-leak bug Aim Security disclosed in 2025. SSRF and sanitizer races are old bug classes; the prompt injection is the new part, and it makes them reachable again.\\n\\nMicrosoft mitigated the flaw on its backend, and because Copilot Enterprise is a managed service, tenant admins cannot patch or reconfigure the parts that failed. What they can do is watch and contain.\\n\\nLook for Copilot Search URLs carrying encoded payloads or HTML in the q parameter, and for unusual outbound requests to Bing’s image endpoints. Tighten data-access governance so Copilot indexes less, which shrinks what any future leak can reach.\\n\\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.\\n”,”published”:”2026-06-15T15:09:00″,”modified”:”2026-06-15T15:09:05″,”type”:”thn”,”title”:”One-Click Microsoft 365 Copilot Flaw Could Have Let Attackers Steal Emails, Files”,”source”:””,”references”:””,”id”:”THN:0C053FA1B9E28CFF8B119BFB93E9A94A”,”bulletinFamily”:”info”,”cwe”:null,”cvelist”:[“CVE-2026-42824″],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:7.5,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:N\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/thehackernews.com\/2026\/06\/one-click-microsoft-365-copilot-flaw.html”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-06-15T15:16:05″,”description”:”\\n\\nA single click on a trusted Microsoft link could have let an attacker pull emails, calendar details, and indexed files out of Microsoft 365 Copilot…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,16,12,15,13,7,11,43,5],"class_list":["post-62675","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-cvss-75","tag-exploit","tag-high","tag-news","tag-security","tag-tapic","tag-thn","tag-vulnerability"],"yoast_head":"\n