Varonis "SearchLeak" turned Microsoft 365 Copilot into a one-click data-theft tool

breakthroughDeveloperLegal

Tuesday, June 16, 2026

Conviction

High

Time horizon

This week

Risk

AI-specific prompt injection is now a CVE-bearing enterprise security class

The News

A critical vulnerability chain in Microsoft 365 Copilot Enterprise has been patched after researchers demonstrated that a single click on a legitimate Microsoft domain link could silently steal sensitive corporate data, including MFA codes, email contents, calendar details, and confidential files, with no user interaction beyond that click; dubbed SearchLeak and tracked as CVE-2026-42824, the flaw was uncovered by Varonis Threat Labs researcher Dolev Taler and earned Microsoft's maximum severity rating , per Cyber Press. The chain combines a relatively new class of AI-specific vulnerability known as Parameter-to-Prompt Injection (P2P) with two classic web security bugs: an HTML injection race condition and a server-side request forgery (SSRF) , per Varonis. Microsoft assigned CVE-2026-42824 and marked it critical; the company mitigated the flaw on its backend, so customers have nothing to worry about, and Varonis presented a proof-of-concept, not observed exploitation , per The Hacker News.

The Read

The patch is the boring part. What matters for any team shipping an enterprise LLM is the architecture lesson: SearchLeak chained one AI-specific bug (prompt injection via URL parameter) with two completely standard web bugs (race condition, SSRF) that have been understood for fifteen years. SSRF and sanitizer races are old bug classes; the prompt injection is the new part, and it makes them reachable again . Translation: every dormant low-severity bug in your LLM application's surrounding web stack just became potentially reachable as an exfiltration path, because the LLM is a willing accomplice that follows instructions in its inputs. The same pattern showed up in EchoLeak (CVE-2025-32711), the zero-click Copilot data-leak bug Aim Security disclosed in 2025 — meaning this is the second time in twelve months that a Copilot prompt-injection chain has reached critical severity. If your AI security review still treats prompt injection as a content-policy problem and not as an arbitrary-instruction primitive that re-weaponizes your existing web vulnerabilities, you're auditing the wrong threat model.

Do This Week

Add the SearchLeak architecture pattern to your LLM application threat model before Friday: assume any URL parameter, document, or email that reaches the model is an executable instruction, then re-rank every CSP-allowlisted domain and every output-sanitization race in your stack as a potential exfiltration sink. The fix isn't "block prompt injection" — it's never allowing model-generated output to fetch external resources during the streaming phase.

For Developer — security engineering leads