High

Microsoft’s SearchLeak (CVE-2026-42824) is a critical vulnerability chain affecting Microsoft 365 Copilot Enterprise that enabled attackers to exfiltrate sensitive organizational data with just a single click on a malicious link hosted on a legitimate Microsoft domain. Discovered by Researcher, the flaw received Microsoft’s highest severity rating before being fully patched. Unlike traditional vulnerabilities, SearchLeak is not a standalone bug but a sophisticated attack chain that combines AI-specific prompt manipulation with classic web security weaknesses, allowing attackers to access emails, MFA codes, calendar entries, corporate documents, and other data available to the victim within their Microsoft 365 environment.

The attack begins with a Parameter-to-Prompt (P2P) Injection vulnerability in Copilot Search. Microsoft 365 Copilot accepts a q URL parameter intended for natural-language search queries; however, attackers discovered that this parameter could also be interpreted as AI instructions. By crafting a malicious URL on a trusted Microsoft domain, attackers could instruct Copilot to search the victim’s mailbox or other accessible resources and embed the extracted information into a specially crafted image URL. Because the link originates from a legitimate Microsoft domain, traditional phishing defenses, URL reputation services, and security filters are unlikely to identify it as malicious.

The second stage exploits a race condition in Copilot’s HTML rendering process. Microsoft attempts to prevent malicious AI-generated HTML from executing by wrapping output in <code> blocks after content generation. However, during the streaming phase of Copilot’s response, attacker-controlled HTML elements—such as <img> tags—are temporarily rendered in the browser before sanitization occurs. This timing gap allows the browser to process and send requests associated with the malicious HTML before Microsoft’s security controls can neutralize the content, effectively bypassing the intended safeguards.

The final stage leverages a Server-Side Request Forgery (SSRF) technique through Bing’s image search infrastructure. Although Microsoft’s Content Security Policy (CSP) prevents direct communication with attacker-controlled domains, Bing domains are allowlisted. Attackers embed stolen data into a Bing “Search by Image” URL, causing Bing’s backend servers to retrieve the attacker-specified resource and inadvertently forward the exfiltrated information to an external server under the attacker’s control. The entire attack chain executes silently after a single click, requiring no additional user interaction. While Microsoft has patched the vulnerability server-side, organizations should continue monitoring Copilot search URLs for suspicious encoded payloads, review CSP allowlists, treat AI-generated streaming content as untrusted, and educate users to be cautious of Microsoft links containing unusually long or encoded query strings.