Critical Copilot Vulnerability Allowed Hackers to Seal 2FA Code From Users
Varonis said the chained flaw could expose email content, calendar details and access codes before Microsoft fixed CVE-2026-42824.
- Varonis researchers discovered SearchLeak, a critical vulnerability in Microsoft Copilot Enterprise Search, which Microsoft patched on Tuesday as CVE-2026-42824 with a maximum severity rating.
- The three-stage attack chain combines a Parameter-to-Prompt Injection, an HTML rendering race condition, and a CSP bypass enabled by Bing server-side request forgery, allowing attackers to bypass security protections.
- "The victim doesn't type anything. They click a link, and Copilot takes care of the rest," Varonis researchers explained, describing how attackers craft malicious links to exfiltrate emails and documents.
- Microsoft has already fixed the vulnerabilities that SearchLeak exploited, meaning users require no action to mitigate this threat.
- SearchLeak targeted Copilot Enterprise Search, potentially exposing sensitive corporate data including emails, meeting notes, SharePoint documents, and OneDrive files accessible within organizations.
14 Articles
14 Articles
Critical Copilot vulnerability allowed hackers to seal 2FA code from users
Last Tuesday, Microsoft patched a vulnerability it rated as max critical in its M365 Copilot AI platform. On Monday, the researchers who discovered the vulnerability and reported it to Microsoft revealed how their proof-of-concept exploit could retrieve 2FA codes and other sensitive data from emails accessible to Copilot. Microsoft and other LLM providers have been unable to prevent their products from complying with malicious requests to reveal…
New attack turned Microsoft 365 Copilot into 1-click data theft tool
A critical vulnerability chain dubbed SearchLeak in Microsoft 365 Copilot Enterprise could allow attackers to steal sensitive data from a target's mailbox, OneDrive, or SharePoint account through a specially crafted URL.
Varonis security researchers have found a new route of attack to easily read confidential data from business environments via Microsoft 365 Copilot.
The failure in Microsoft 365 Copilot re-emphasized the security risks in corporate artificial intelligence tools, especially when integrated into complex cloud ecosystems. Researchers at Varonis Threat Labs revealed a critical vulnerability that allowed data theft with just one click, without the need for additional credentials or sophisticated exploration by the attacker. The problem, named SearchLeak and categorized as CVE-2026-42824, exposed …
By treating a request as an instruction to execute, Microsoft 365 Copilot could again be hijacked to search for internal content without permission, then rely on Bing to extract the recovered data.
Coverage Details
Bias Distribution
- 100% of the sources are Center
Factuality
To view factuality data please Upgrade to Premium
