One Click of Microsoft 365 Copilot Flaw Could Let Attackers Steal Emails, Files, and MFA Codes
A single click on a trusted Microsoft link could have allowed an attacker to pull emails, calendar information, and indexed files out of Microsoft 365 Copilot Enterprise Search.
Researchers at Varonis Threat Labs have tied up three bugs in what they call a one-click method. SeshaLeak. Because the link points to the actual microsoft.com domain, conventional anti-phishing tools and URL filtering were unlikely to flag it.
No instant, no password, no second click. Microsoft assigned CVE-2026-42824 and marked it as critical; CVSS scores are low and negative, 6.5 from Microsoft and 7.5 from the National Vulnerability Database. The company has reduced the error in its backend, so customers don’t have to worry about it, and Varonis presented a proof-of-concept, not an exploit.
Three bugs, one click
Microsoft’s advisory describes the bug as command injection that can reveal information about the network. Essentially, SearchLeak piles up some AI-specific weaknesses on two old web bugs, and each link is necessary to the next.
The entrance is q parameter in the Copilot Enterprise Search URL. It’s designed for natural language querying, but Copilot reads whatever is sitting there as instructions, not just a search string.
Varonis calls this Parameter injection to Prompt. The attacker writes a URL that tells Copilot to search the mailbox, take the subject of the email, and place it inside the image URL. The victim does not write anything. They click, and Copilot does the work.
Next is the race condition in the way the answer gives. Microsoft’s Guardrail wraps Copilot’s output inside prevents the browser from treating the tag as text. Timing: wrapping occurs after Copilot has finished rendering, but the browser renders the stream as it arrives. Injected the marker is drawn and burns its application before the sanitizer starts. By the time the output is reduced, the request is already gone.
The last link makes the data pass the Content Security Policy of the page. The CSP at m365.cloud.microsoft blocks images from inappropriate domains, but whitelists *.bing.com. Bing’s “Search by Image” endpoint accepts an image URL and fetches it from the server side to analyze it. Point the download to the attacker’s server with encrypted text in the path, and Bing downloads it. The browser’s CSP doesn’t work, because the request comes from Bing’s infrastructure. Bing becomes a download proxy. The CSP whitelist is hidden.
Combined: the victim clicks, Assistant searches their data, the response embeds the value as an email subject into the Bing image URL, the browser calls Bing during the stream, and Bing pulls the attacker’s URL. An attacker reads it from their logs, for example, a request for /Your_Security_Code_847291/img.png.
That’s what the attacker gets
Copilot Enterprise can access anything a logged-in user can’t access, by accessing the Microsoft Graph, and an attacker can inherit access without logging in.
The most time-sensitive reward lives in the inbox: one-time codes, MFA codes, and password reset links, often still valid for a few minutes. A script that raises that log while a window is open can take over the account before anyone sees it.
The same access also accesses calendar invitations, meeting notes, and any SharePoint or OneDrive file Copilot has indexed, where salary data, salary calculations, and acquisition plans reside.
SearchLeak is the second time Varonis has shown this pattern. Varonis researcher Dolev Taler demonstrated a one-click approach to Reprompt’s previous attack against Copilot Personal, and resisted Enterprise Search despite the additional precautions the tier must implement.
A similar pattern was shown in EchoLeak (CVE-2025-32711), the zero-click Copilot data-leak bug Aim Security disclosed in 2025. The SSRF and sanitizer races are older classes of insects; quick injection is a new feature, and makes them affordable again.
Microsoft has mitigated the error on its backend, and because Copilot Enterprise is a managed service, tenant administrators cannot patch or refactor failed components. All they can do is view and contain.
Look for Copilot Search URLs that carry payloads encoded or HTML in the q parameter, and unusual outbound requests to the bottom of the Bing image. Tighten data access governance so that Copilot identifies less, less access to any future leaks.
