← Back to Daily Briefing

Researchers at Varonis Threat Labs have identified 'SearchLeak' (CVE-2026-42824), a critical indirect prompt injection vulnerability in Microsoft 365 Copilot Enterprise Search. The vulnerability utilizes a Parameter-to-Prompt (P2P) technique via the ?q= URL query parameter to manipulate the LLM. By exploiting a race condition during incremental HTML rendering, an attacker can inject malicious <img> tags that bypass Content Security Policy (CSP) restrictions. Through the exploitation of Bing’s Image Search imgurl= parameter, the attack facilitates the silent exfiltration of sensitive data—including 2FA codes, SharePoint documents, and emails—by leveraging the user's inherited Microsoft Graph API permissions.

  • Threat Model & Vulnerability Overview

    • Represents a shift from standard text-based manipulation to Parameter-to-Prompt (P2P) injection.
    • Targets the Microsoft 365 Copilot Enterprise Search functionality specifically.
    • Exploits the acceptance of natural language instructions within standard URL query parameters.
  • Technical Attack Mechanics

    • Employs indirect prompt injection to command the AI to retrieve sensitive organizational data.
    • Leverages a race condition where the AI’s "thinking process" is rendered as raw HTML before post-processing sanitization occurs.
    • Utilizes a CSP bypass by targeting the whitelisted Bing Image Search domain.
    • Weaponizes the Bing imgurl= parameter to act as a proxy, embedding stolen data into an <img> tag for exfiltration.
  • Impact & Data Exposure

    • Rated as Critical due to the one-click exploitability via a crafted URL.
    • Grants access to all indexed business content accessible via the user's Microsoft Graph API permissions.
    • Risks the unauthorized disclosure of 2FA codes, meeting invites, SharePoint documents, and OneDrive files.
    • High potential for full account takeover through automated, high-speed data harvesting.
  • Industry & Defense Implications

    • Demonstrates the danger of exposing LLM reasoning/thinking phases within the DOM.
    • Highlights the insufficiency of domain-based CSP when trusted services can be used for SSRF-like exfiltration.
    • Underscores the need for rigorous sanitization of AI-generated content prior to browser-side rendering.

Related posts

  1. varonis.com — SearchLeak: How We Turned M365 Copilot Into a One-Click Data Exfiltration Weapon
  2. eSecurity Planet — SearchLeak Flaw Exposed Sensitive Data in Microsoft 365 Copilot
  3. csoonline.com — M365 Copilot SearchLeak: Your prompt injection attack surface just got bigger
  4. vibegraveyard.ai — M365 Copilot SearchLeak turned a search link into a one-click data heist
  5. Thehackernews
  6. App
  7. Thenextweb
  8. Letsdatascience
  9. Reddit
  10. Mastodon
  11. Mashable

LINK COPIED TO CLIPBOARD