Varonis Threat Labs just turned M365 Copilot Enterprise into a one-click data exfiltration weapon.
They called it SearchLeak. CVE-2026-42824.
The attack chain is three moves: parameter-to-prompt injection through the URL, an HTML rendering race condition before the sanitizer kicks in, and a CSP bypass through Bing's image search endpoint that exfiltrates everything to an attacker-controlled server.
One link. One click from the victim. Copilot searches their mailbox, pulls the 2FA code, and sends it out through a Bing SSRF that your DLP policies never flagged.
The blast radius isn't personal. It's organizational.
Copilot Enterprise operates with the user's full graph permissions. The attacker inherits access to every mailbox, SharePoint site, OneDrive folder, and indexed business document the victim can see — without authenticating.
Microsoft patched it server-side June 4. No user action required.
But here's what should keep you up tonight: Microsoft rated this "max severity: critical" despite a CVSS score of 6.5. That discrepancy tells you everything about how they see the business impact.
Your AI agents don't have their own identity. They have yours. Every permission you hold, every mailbox you can read, every file you can access — your Copilot holds those keys too.
Audit your AI indexing scope today. If your Copilot can see your executive team's inboxes, so can the next attacker who crafts the right URL.
SOURCE: https://www.varonis.com/blog/searchleak
VERIFIED: Varonis Threat Labs, Microsoft MSRC (CVE-2026-42824), NVD, Dark Reading
SIGNAL: This is the first confirmed weaponization of AI permission inheritance for data exfiltration. Every enterprise running Copilot now has an AI agent that shares the full access graph of every user it serves.
Enterprise AI Impact — filtered for signal, not noise
The AI briefing CTOs read before their morning meeting
3 minutes. Zero fluff. Only what moves the needle.
$5/mo — your cheapest competitive edge
0 Comments