327/69 Wednesday, June 17, 2026
Security researchers have disclosed a vulnerability in Microsoft 365 Copilot Enterprise Search, known as SearchLeak, which could allow attackers to steal data from emails, files in SharePoint and OneDrive, as well as MFA codes or one-time verification codes. The attack could be carried out by tricking a victim into clicking a specially crafted link. Since the link is hosted on a Microsoft domain, phishing protection tools or URL filtering systems may have difficulty detecting it.
Reports indicate that the attack chains multiple vulnerabilities together, including prompt injection through Copilot search parameters, a race condition during HTML rendering, and the use of Bing Image Search as an intermediary to exfiltrate data to the attacker’s server. When the victim clicks the link, Copilot may interpret the text in the URL as an instruction, search for data that the user is authorized to access, and automatically embed that data into outbound requests.
The vulnerability has been assigned CVE-2026-42824. Microsoft described it as a command injection vulnerability in M365 Copilot that could allow an attacker to disclose information over a network. Microsoft has already implemented a backend fix, and the report was presented as a research demonstration. There have been no reports of active exploitation. Administrators should monitor Copilot Search links with unusual q parameters or encoded payloads, review abnormal connections to Bing image endpoints, and reassess data access permissions in Microsoft 365 to reduce the impact of similar vulnerabilities in the future.
Source: https://thehackernews.com/2026/06/one-click-microsoft-365-copilot-flaw.html