Varonis Threat Labs has disclosed a critical vulnerability in Microsoft 365 Copilot Enterprise, dubbed SearchLeak and tracked as CVE-2026-42824, that earned Microsoft's maximum severity rating. A single click on a link hosted on a legitimate microsoft.com domain could silently exfiltrate sensitive corporate data, including multi-factor authentication codes, email contents, calendar details, and confidential files, with no further user interaction. Microsoft has fully remediated the flaw on the server side, so no end-user action is required, and the researcher who found it, Varonis's Dolev Taler, went public on June 15.
What makes SearchLeak notable is not just its severity but its anatomy. The attack chains three distinct weaknesses into one seamless path: a Parameter-to-Prompt injection that smuggles attacker instructions into Copilot's prompt, an HTML rendering race condition, and a Content Security Policy bypass that abuses a Bing server-side request forgery to ship the stolen data out. In plain terms, the attacker hides instructions where the AI assistant will read and obey them, then uses the rendering and network layers to carry the data away. Because the malicious link lives on a real microsoft.com domain, conventional anti-phishing tools and URL filters never flag it.
SearchLeak is a textbook instance of the failure mode security researchers have been warning about all year. It is an AI assistant with access to private data, exposed to untrusted content, and wired to an external channel that can carry information out, the exact combination OWASP recently described as the lethal trifecta of prompt injection. The difference here is that it is not a thought experiment: someone built the full chain and turned a productivity assistant into a one-click exfiltration weapon. As companies hand AI assistants ever-deeper access to email, calendars, and files, the attack surface stops being just the model, and becomes the model plus everything it is allowed to read and everywhere it is allowed to reach.
The reassuring part is that this one is fixed, found by researchers rather than attackers, and remediated server-side without users needing to lift a finger; responsible disclosure worked as intended. The less reassuring part is the pattern. Indirect prompt injection keeps proving to be a real, exploitable class of bug rather than a hypothetical, and each new instance is more polished than the last. The defenses that hold up are structural, keeping untrusted content, private data, and outbound channels from ever meeting in the same context, rather than trying to teach a model to recognize every malicious instruction. SearchLeak is one more data point that the agentic-AI security problem is not really the model misbehaving on its own, it is what a determined attacker can make it do.