Microsoft Copilot's 'SearchLeak' Flaw Let Attackers Steal MFA Codes and Emails in One Click

A vulnerability in Microsoft 365 Copilot allowed attackers to steal complete email threads, financial documents, and live multi-factor authentication codes from enterprise victims using nothing more than a single malicious link. Discovered by Varonis Threat Labs and disclosed on June 15, 2026, the flaw — catalogued as CVE-2026-42824 — earned a CVSS score of 9.1, placing it firmly in the critical severity tier.

Microsoft had already deployed a fix during its June 9 Patch Tuesday cycle before Varonis published its findings, meaning most enterprises are now protected. But the incident has reignited industry debate about what happens when AI assistants get deep, ambient access to an organization’s most sensitive data.

How SearchLeak Worked

Varonis researchers named the attack chain “SearchLeak” because it weaponized Microsoft Copilot’s core functionality — the ability to search across a user’s entire Microsoft 365 environment, including email, Teams, SharePoint, and OneDrive — and turned it into an exfiltration channel.

The attack operated in three sequential stages, each exploiting a different component of the M365 ecosystem:

Stage 1: Initial Delivery. Attackers distributed malicious links via email, Microsoft Teams messages, or SharePoint documents. When an authenticated M365 user clicked the link while logged into Copilot, the attack chain activated. No phishing credential collection was involved — the user’s own legitimate session was the attack vector.

Stage 2: Parameter-to-Prompt (P2P) Injection. The crafted URL parameters triggered background requests to Copilot endpoints. The attacker-controlled URL contained hidden instructions that were parsed as search directives, causing Copilot to execute queries on behalf of the attacker. This variant of prompt injection is distinctive because it required no direct interaction with Copilot’s chat interface — the injection happened silently through the URL structure.

Stage 3: Exfiltration Loop via SSRF. A server-side request forgery (SSRF) vulnerability in Bing’s image search endpoint, combined with an HTML rendering race condition in how Copilot displayed results, allowed Copilot to be tricked into routing search result data to attacker-controlled servers rather than returning it to the legitimate user. The system believed it was sending data to authorized third-party services; in practice, it was streaming enterprise data to an attacker-controlled endpoint.

The three-stage chain is significant because no single component was individually catastrophic. P2P injection alone cannot exfiltrate data. SSRF alone requires separate injection. The HTML rendering race condition alone is a minor display bug. It was the specific combination, in sequence, that created a critical one-click data theft capability.

What Could Be Stolen

Varonis demonstrated successful extraction of:

• Complete email threads including attachments, with no visible indication to the victim that anything had occurred
• Financial documents and internal strategy files stored in SharePoint or OneDrive
• Password reset links captured before the victim had clicked them, allowing account takeover
• Multi-factor authentication codes from the Microsoft Authenticator app, effectively bypassing the second factor entirely

The MFA code theft is the most alarming element. It means an attacker who obtained a user’s primary credentials through any other means — phishing, credential stuffing, previous breach exposure — could use a single SearchLeak link to capture the MFA code in real time, completing a full account takeover without any secondary phishing step.

Why AI Assistants Expand the Attack Surface

The SearchLeak vulnerability is not a simple SQL injection or buffer overflow. It exploits a fundamental architectural property of AI assistants with broad organizational access: they are, by design, capable of reading and synthesizing data across an entire enterprise knowledge base. That capability is the product’s value proposition. It is also precisely what makes a successful prompt injection so dangerous.

A traditional enterprise search tool indexed and returned documents to the querying user — and only that user. An AI assistant like Copilot goes further: it reads, interprets, and summarizes content across organizational boundaries, serving as a single privileged context window over an organization’s data. An attacker who can inject instructions into that context window effectively operates with the same access level as the victim.

Andrei Florin Buzoianu, a lead researcher at Varonis who presented the findings, noted that the prompt injection occurred not through the chat interface but through URL parameters — an attack vector that many enterprise security teams had not considered in their AI security reviews. “Most organizations have thought about malicious prompts in the chat window,” he said. “Almost none have considered that the URL is also a prompt.”

Patch Status and Remediation

Microsoft deployed fixes in the June 9 Patch Tuesday release. Because M365 Copilot is cloud-delivered, the core server-side patches rolled out transparently without requiring enterprise IT teams to push updates to individual endpoints.

The patch modifies how Copilot processes custom protocol links, implementing allowlist validation on all links before Copilot engages with them and stripping potentially hazardous parameters from URL structures. Microsoft also updated detection signatures in both Defender for Cloud Apps and Defender for Office 365 to flag suspicious Copilot search patterns consistent with SearchLeak-style exploitation.

For enterprises seeking to verify their exposure, Microsoft recommends reviewing Azure Active Directory logs for anomalous Copilot activity in the period between SearchLeak’s earliest confirmed exploitation date and the June 9 patch deployment. The company also released an updated AI Security Dashboard providing visibility into Copilot data access patterns across the tenant.

The Broader Pattern

SearchLeak is not an isolated incident. Since Microsoft 365 Copilot entered general availability in late 2023, security researchers have identified a recurring class of vulnerabilities in which the AI assistant’s broad data access becomes an amplifier for traditional attack techniques. A 2025 report from Tenable catalogued fourteen distinct prompt injection scenarios across M365 Copilot; SearchLeak represents a refinement of that threat model, not a departure from it.

The pattern reflects a general tension in enterprise AI deployment: the most capable AI assistants are useful precisely because they have broad, ambient access to organizational data, but that same access makes them high-value targets for exfiltration attacks. Traditional data loss prevention tools were designed to intercept data leaving through known channels — email attachments, USB drives, cloud uploads. An AI assistant that autonomously queries and synthesizes data in response to injected instructions does not fit cleanly into those models.

Industry analysts expect the incident to accelerate adoption of AI-specific zero-trust architectures, in which AI assistants are granted only the minimum data access required for a specific task, validated on a per-request basis, rather than operating with persistent broad access to the full organizational data estate. Several enterprise security vendors have already announced AI access governance products in the weeks surrounding the SearchLeak disclosure.

For now, the immediate guidance is simple: apply the June 2026 cumulative updates, review Copilot access logs for anomalous activity, and treat enterprise AI assistants with the same scrutiny currently applied to privileged identity management accounts. The AI assistant is not just a productivity tool. It is a data access credential.