Researchers at Varonis Threat Labs have identified 'SearchLeak' (CVE-2026-42824), a critical indirect prompt injection vulnerability in Microsoft 365 Copilot Enterprise Search. The vulnerability utilizes a Parameter-to-Prompt (P2P) technique via the ?q= URL query parameter to manipulate the LLM. By exploiting a race condition during incremental HTML rendering, an attacker can inject malicious <img> tags that bypass Content Security Policy (CSP) restrictions. Through the exploitation of Bing’s Image Search imgurl= parameter, the attack facilitates the silent exfiltration of sensitive data—including 2FA codes, SharePoint documents, and emails—by leveraging the user's inherited Microsoft Graph API permissions.
-
Threat Model & Vulnerability Overview
- Represents a shift from standard text-based manipulation to Parameter-to-Prompt (P2P) injection.
- Targets the Microsoft 365 Copilot Enterprise Search functionality specifically.
- Exploits the acceptance of natural language instructions within standard URL query parameters.
-
Technical Attack Mechanics
- Employs indirect prompt injection to command the AI to retrieve sensitive organizational data.
- Leverages a race condition where the AI’s "thinking process" is rendered as raw HTML before post-processing sanitization occurs.
- Utilizes a CSP bypass by targeting the whitelisted Bing Image Search domain.
- Weaponizes the Bing
imgurl=parameter to act as a proxy, embedding stolen data into an<img>tag for exfiltration.
-
Impact & Data Exposure
- Rated as Critical due to the one-click exploitability via a crafted URL.
- Grants access to all indexed business content accessible via the user's Microsoft Graph API permissions.
- Risks the unauthorized disclosure of 2FA codes, meeting invites, SharePoint documents, and OneDrive files.
- High potential for full account takeover through automated, high-speed data harvesting.
-
Industry & Defense Implications
- Demonstrates the danger of exposing LLM reasoning/thinking phases within the DOM.
- Highlights the insufficiency of domain-based CSP when trusted services can be used for SSRF-like exfiltration.
- Underscores the need for rigorous sanitization of AI-generated content prior to browser-side rendering.
Related posts
- varonis.com — SearchLeak: How We Turned M365 Copilot Into a One-Click Data Exfiltration Weapon
- eSecurity Planet — SearchLeak Flaw Exposed Sensitive Data in Microsoft 365 Copilot
- csoonline.com — M365 Copilot SearchLeak: Your prompt injection attack surface just got bigger
- vibegraveyard.ai — M365 Copilot SearchLeak turned a search link into a one-click data heist
- Thehackernews
- App
- Thenextweb
- Letsdatascience
- Mastodon
- Mashable