One click on a microsoft.com link. That was enough to turn M365 Copilot Enterprise into a data exfiltration weapon that steals 2FA codes, board meeting notes, and acquisition plans. No malware. No credentials. A link and an AI that was too useful for its own good. Varonis discovered SearchLeak (CVE-2026-42824) — and the attack chain is more sophisticated than it appears.
The vector: q as an executable instruction
The q parameter in the M365 Copilot search URL is passed directly to the AI engine as an executable instruction, not as a search string. Whatever you put in q is interpreted as a command. This is prompt injection in its most direct form: the attacker needs no account access, no malware, no credentials. They need the victim to click a microsoft.com link — a domain that is not blocked by anti-phishing filters.
The attack chain has seven steps and combines three distinct techniques:
- Attacker sends a URL with instructions in the
qparameter (microsoft.com domain, not blocked). - Victim clicks. Copilot interprets
qas an instruction, searches the inbox, SharePoint, OneDrive. - Copilot generates a response with an
<img>tag containing stolen data in the URL. - During streaming, the browser renders the
<img>before the sanitizer wraps it in code blocks (race condition). - Browser sends a request to
bing.com/images/searchbyimage(CSP-allowlisted). - Bing's backend performs a server-side fetch of the attacker's URL.
- Attacker reads the stolen data from server logs.
Each step is necessary. Each one bypasses a different protection. And the result is silent exfiltration of any data Copilot can access via Microsoft Graph.
Bing as a trampoline: CSP is irrelevant server-side
M365's CSP allowlists *.bing.com. This makes sense for the browser — Copilot needs Bing for search. But Bing's "Search by Image" endpoint performs server-side fetch of arbitrary URLs. The attacker encodes stolen data in the URL path. The client-side browser never accesses the attacker's server. CSP is irrelevant for server-side requests.
According to Varonis: "Browser CSP? Irrelevant for server-side requests." This is the architectural lesson that extends beyond M365. Any domain on the CSP allowlist that has server-side fetch capability is a potential exfiltration channel. CSP protects the browser. It does not protect what the backend does with the URLs it receives.
The race condition in streaming is the trigger. During the streaming of Copilot's response, the browser renders the <img> tag before the sanitizer wraps the content in code blocks. The time window is small, but sufficient. The browser fires the request to Bing, Bing performs the server-side fetch, and the data reaches the attacker.
What was exposed: everything Graph indexes
The exposure scope is determined by what Copilot can access via Microsoft Graph. According to Varonis, this includes: MFA/2FA codes arriving in the inbox, password reset links, email content, calendar events, SharePoint documents, OneDrive files, salary documents, and acquisition plans. Any indexed content the victim could access.
For a board executive, this means confidential meeting notes and strategic plans. For the CFO, salary documents and financial projections. For any user, 2FA codes and password reset links — which opens the door to account takeover. Copilot does not distinguish between sensitive and ordinary data. It simply responds to the prompt.
The 12-month escalation: three chains, same target
SearchLeak is not an isolated incident. It is the third exfiltration attack via M365 Copilot in 12 months, and each one targets a higher tier:
- EchoLeak (CVE-2025-32711, CVSS 9.3, zero-click, 2025): crafted email + Teams proxy to bypass CSP. M365 Copilot.
- Reprompt (Varonis, January 2026): one-click, P2P injection, Copilot Personal.
- SearchLeak (CVE-2026-42824, June 2026): one-click, P2P injection + HTML race condition + SSRF via Bing. Copilot Enterprise.
Each chain bypasses the protections that the previous fix should have established. EchoLeak exploited CSP. Reprompt escalated the tier. SearchLeak combined three techniques and escalated to Copilot Enterprise — the tier with the broadest access to corporate data.
The pattern is clear: every AI assistant with broad data access sits on a geological fault. Nobody knows how to fundamentally prevent prompt injection. Microsoft's patch fixed this specific chain. But the next vector is a matter of time.
The CVSS gap: 6.5 for stealing the CEO's 2FA codes
Microsoft classified SearchLeak as "Critical" internally. The numerical CVSS score: 6.5. When your AI assistant steals the CEO's 2FA codes with one click, is 6.5 the right number?
The gap between Microsoft's internal classification and the CVSS score reflects a structural limitation of CVSS for AI vulnerabilities. CVSS measures technical impact — confidentiality, integrity, availability. But the real impact of an AI assistant that steals 2FA codes, acquisition plans, and salary documents goes far beyond what CVSS captures. The impact is contextual: it depends on who the victim is, what data they access, and what an attacker can do with real-time 2FA codes.
According to Varonis, the recommendation is to treat streaming AI output as untrusted. Sanitization must happen at render time, not as post-processing. This is architecture, not a patch.
The board question
What is the plan when AI tools become the attack surface? It is not a question of if, but when. Three exfiltration chains in 12 months show that M365 Copilot is an active target and that attackers are evolving faster than the defenses.
At Tech86, we apply this lesson in practice: our Perimeter Shield WAF monitors and filters anomalous requests that indicate data exfiltration, including SSRF and race condition patterns in application layers. When CSP is irrelevant because exfiltration happens server-side, behavioral detection at the perimeter is the defense that remains. The patch fixes the vector. The security architecture fixes the surface.