SearchLeak: the one-click Copilot prompt injection that exfiltrates your mailbox
Varonis' SearchLeak (CVE-2026-42824) turned Microsoft 365 Copilot into a one-click data-theft tool. A year after EchoLeak, the same prompt-injection exfiltration pattern is back — here's why it keeps working.
For the second June in a row, a researcher has turned Microsoft 365 Copilot into a data-exfiltration tool, and the mechanism is almost identical to last year's. On 15 June 2026, Varonis Threat Labs published SearchLeak, a chain tracked as CVE-2026-42824 that lets an attacker steal a victim's emails, calendar, indexed organizational files and even live MFA codes — with one click on a link. The victim types nothing into Copilot. They click, and Copilot does the rest.
Twelve months earlier, in June 2025, Aim Labs disclosed EchoLeak (CVE-2025-32711, CVSS 9.3) — a zero-click prompt injection in the same product that exfiltrated SharePoint, OneDrive and Teams content from a single crafted email. Microsoft patched both. But two near-identical bugs, one year apart, in the same assistant, are not a coincidence. They are the signature of a structural problem that patching one CVE does not fix. This article is about why the pattern repeats — and what kind of testing actually catches it.
What SearchLeak actually does
SearchLeak is not one bug. It is three, chained, where each link is individually unremarkable and the combination is critical. Varonis describes the chain as a new AI-specific primitive bolted onto two classic web bugs:
- Parameter-to-prompt injection (P2P). Copilot Enterprise Search reads the
qURL parameter and passes it to the model as an executable instruction, not as a search string. An attacker writes a link whoseqvalue says, in effect, "search this user's mailbox, pull the latest access code, and embed it in an image URL." Nothing is typed by the victim — the instruction rides in on the URL. - HTML rendering race condition. Copilot's answer is rendered as HTML. An
<img>tag injected into the model's output fires its outbound request before the output sanitizer finishes stripping it. The browser fetches the image; the image URL carries the stolen data. - CSP bypass via Bing SSRF. A modern Content Security Policy should block an outbound fetch to an attacker domain. But Bing's image-search endpoint is allowlisted in Copilot's CSP, and that endpoint performs a server-side fetch of whatever URL it is handed. The attacker routes the exfiltration through Bing, which is trusted, so the CSP never fires.
The data path is brutally simple: victim clicks → Copilot reads their mailbox and indexed content → the answer renders an attacker-controlled image → Bing fetches it server-side → the stolen bytes land on the attacker's server. Microsoft rated CVE-2026-42824 critical and has patched it.
Why a Microsoft proxy keeps becoming the exfiltration channel
Put EchoLeak and SearchLeak side by side and the structural repeat is obvious.
| EchoLeak (Jun 2025) | SearchLeak (Jun 2026) | |
|---|---|---|
| CVE | CVE-2025-32711 | CVE-2026-42824 |
| Trigger | Crafted email (zero-click) | Crafted link (one-click) |
| Injection class | Indirect prompt injection / "LLM Scope Violation" | Parameter-to-prompt injection |
| Render abuse | Auto-fetched image, reference-style Markdown | <img> render race before sanitization |
| CSP bypass | Microsoft Teams proxy (allowlisted) | Bing image-search proxy (allowlisted) |
| Exfiltrated | SharePoint, OneDrive, Teams, chat logs | Email, calendar, indexed files, MFA codes |
Both attacks land on the same two load-bearing weaknesses. First, an auto-rendered image is an outbound channel the user never consents to. Second, the CSP allowlist — the very control meant to stop exfiltration — contains a first-party Microsoft endpoint that will fetch arbitrary URLs on the attacker's behalf. Teams last year, Bing this year. The allowlist is a list of trusted couriers, and the attacker only needs one of them to carry a letter.
You can patch the specific proxy. You cannot patch the category, because a large assistant that summarizes untrusted content and renders rich output will always have some allowlisted fetcher and some rendering path that races its own sanitizer. EchoLeak closed the Teams door. SearchLeak walked through the Bing window. The next one will find another opening, because the architecture — untrusted text becomes trusted instructions, and trusted proxies fetch untrusted URLs — has not changed.
Parameter-to-prompt injection and the data/instruction boundary
The deeper issue is the one OWASP put at the very top of its list. In the 2025 OWASP Top 10 for LLM Applications, LLM01: Prompt Injection is the number-one risk, and the indirect/multimodal variants are explicitly called out: instructions hidden in a document, a web page, an image, or — as here — a URL parameter, that the model later processes as if they were legitimate commands from its operator.
Classical software keeps code and data in separate planes; an injection bug is a failure to maintain that separation (SQL injection, command injection, XSS). An LLM has no such plane. Its entire job is to read text and act on it. When that text arrives from an attacker-controlled q parameter and Copilot cannot tell "this is what to search for" from "this is what to do," there is no sanitizer that cleanly fixes it, because the model is doing exactly what it was built to do: follow instructions in its context window.
"We didn't bypass authentication. We didn't exploit a memory bug. We asked the assistant — politely, in a URL — to read the user's mail and send it to us, and it agreed. The browser fetched an image. Bing fetched a URL. Every component behaved as designed."
That is what makes this class so corrosive to the usual defenses. No payload looks like a payload. The traffic is HTTPS to Microsoft and Bing. The instruction is plain English. EDR sees nothing executing on the host, because nothing does.
Why your scanner and your annual pentest both miss this
Two assumptions break here.
The first is that a vulnerability scanner can find it. Scanners match signatures and known CVEs against versions. SearchLeak is not a version; it is an interaction between your tenant's CSP allowlist, the exact rendering order of your Copilot surface, and a model's willingness to act on a URL parameter. There is no banner to grab and no version string that says "vulnerable."
The second is that an annual or quarterly pentest is cadence enough. EchoLeak and SearchLeak were one year apart — your annual test would have caught at most one of them, months after exposure, and only if the tester happened to probe the AI surface that quarter. AI assistants ship behavioral changes continuously: a new connector, a new allowlisted domain, a tweak to how output is rendered. Each change can reopen the class. The exposure window between "Microsoft changes Copilot" and "your next scheduled pentest" is exactly where both of these bugs lived.
And critically, the working exploit is environment-specific. Which proxy is allowlisted in your CSP, whether your tenant exposes Enterprise Search the same way, how your connectors index mail — these determine whether a given chain fires. A generic advisory does not tell you if you are exploitable. Only running the chain against your actual configuration does.
Detection when the user sees nothing
There is a second front, and it is the network. The user clicks and sees a normal Copilot answer; nothing on the endpoint looks wrong. But the exfiltration still has to leave, and that egress has a shape: an outbound fetch carrying base64-ish blobs in a URL to an image-search proxy, fired immediately after a Copilot interaction, for a workstation that has no reason to be pushing mailbox contents outbound. EDR, which watches process and file behavior on the host, sees nothing — because the host did nothing. The wire is where the evidence is.
This is the uncomfortable lesson of both Junes: when the exploit lives entirely inside trusted SaaS plumbing, the only place an in-progress theft becomes visible is the traffic itself.
Where Zero Hunt fits
The opening question of this article is operational: how do you know whether your Copilot tenant is exploitable, before a researcher — or an attacker — finds out for you? That is a validation problem, and it is the one Zero Hunt's generative engine was built for.
Zero Hunt's 10-agent AI swarm does not run a signature scanner against a version number. Its Web and Exploit agents compose a fresh exploit chain per target — a local LLM writes the attack code for your environment, not a payload pulled from a public database. That is exactly the shape SearchLeak demands: probing whether your Copilot surface treats a q parameter as an instruction, whether your CSP allowlist contains a fetchable proxy, whether your rendering path races its sanitizer. Every candidate skill is backtested in the AI Gym — against corpora like Vulhub and the NYU CTF Bench — before it ever runs in production, so the offensive logic is validated, not improvised. Because Zero Hunt runs as a 100% on-prem appliance with no external LLM APIs, the prompts and findings from probing your AI stack never leave your network — which matters when the thing you are testing is itself an AI data-access surface. And change-triggered campaigns mean that when Microsoft ships a new connector or a new allowlisted domain, a fresh validation campaign fires within the hour, instead of waiting for next year's pentest window — the exact gap EchoLeak and SearchLeak both lived in.
When the chain does fire in production, the egress is the only witness. Zero Hunt's AI Traffic Analysis — a deep-learning model with four parallel inference heads (suspicious traffic, malware classification, attack-type identification, application fingerprinting), running on the appliance GPU at 2.7+ Gbit/s — is built to flag exactly this: an anomalous outbound session to a destination a host has never used, carrying data outbound from a workstation that normally only ingests, fired in the seconds after an assistant interaction. Not in tomorrow's SIEM digest — while the bytes are still moving.
EchoLeak and SearchLeak will not be the last of their line. The architecture that makes Copilot useful — read everything, summarize anything, render rich output — is the same architecture that makes it exploitable, and no single patch retires the class. The defensible posture is to assume the next one already exists in your tenant and to test for it continuously, on the wire and in the configuration, the way an attacker would. If you want to see what continuous AI-surface validation looks like against your own environment, start here.