Your M365 Copilot links are now data exfiltration weapons

Varonis just turned Microsoft 365 Copilot Enterprise into a one-click data theft tool.

The attack is called SearchLeak.

One crafted URL. One employee click. Your emails, MFA codes, SharePoint docs, OneDrive files — all silently routed to an attacker's server.

Here's how it works:

The URL's search parameter gets interpreted as an AI instruction, not a search query.

The AI searches the victim's mailbox, finds the data, and embeds it in an image tag.

A race condition fires the image before sanitization kicks in.

Bing's image search endpoint — whitelisted in Microsoft's own CSP — proxies the data to the attacker.

Three vulnerabilities chained together.

One is AI-native: Parameter-to-Prompt injection.

The other two are classic web bugs that only become critical because the AI executes them.

Microsoft patched this as CVE-2026-42824. Critical severity.

But here's what should keep you up tonight:

This is not a Copilot problem. This is an architecture pattern problem.

Every AI service that accepts URL query parameters and executes them as prompts is exposed.

Varonis confirmed they tested other LLMs. Some had the same class of vulnerability.

If your AI-enhanced web apps use ?q= parameters to pass natural language to an LLM, you are running the same attack surface Microsoft just patched.

Audit every AI-powered service in your stack that accepts URL-based prompts.

If you cannot confirm they filter input at the URL layer and sanitize output at render time — not post-processing — assume compromise.

Microsoft's patch is server-side. Your other vendors may not have one.

SOURCE: https://www.csoonline.com/article/4186970/m365-copilot-searchleak-your-prompt-injection-attack-surface-just-got-bigger.html
VERIFIED: Varonis Threat Labs research disclosure (June 15), CSO Online analysis (June 19), Dark Reading report (June 15), Microsoft MSRC advisory CVE-2026-42824
SIGNAL: This is the first confirmed AI-native vulnerability class (Parameter-to-Prompt injection) that chains with legacy web bugs to enable one-click enterprise data theft. Every CISO running M365 Copilot needs to verify the patch is applied and audit other AI services for the same pattern.