New attack turned Microsoft 365 Copilot into 1-click data theft tool

Key Points:

• A critical vulnerability chain, dubbed SearchLeak (CVE-2026-42824), in Microsoft 365 Copilot Enterprise allows attackers to exfiltrate sensitive data from mailboxes, OneDrive, or SharePoint via a crafted URL.
• The impact includes potential theft of emails, access codes, passwords, calendar events, and documents without user interaction. Microsoft has patched this vulnerability.
• No user action is required for mitigation as the issue has been resolved. Security teams should remain vigilant against similar exploitation techniques.

Technical Details: The SearchLeak vulnerability exploits a combination of parameter-to-prompt injection, an HTML rendering race condition, and a content-security-policy (CSP) bypass through Bing's SSRF. Attackers can craft URLs that instruct Copilot to search and exfiltrate data seamlessly.

MITRE ATT&CK Techniques:

• T1071.001 - Application Layer Protocol: Web Protocols (Command and Control)
• T1203 - Exploitation for Client Execution (Execution)

IOCs Mentioned: None mentioned