Table of Contents
Microsoft Copilot Became the Most Valuable Target in Your Tenant
There is a Microsoft Copilot vulnerability that most IT teams have not heard about yet. The details matter. Varonis Threat Labs published the technical write-up on 15 June 2026, after Microsoft patched it quietly in early June. The flaw is tracked as CVE-2026-42824, or SearchLeak. It let an attacker steal emails, MFA codes and password-reset links from any Copilot Enterprise Search user. Calendar data and SharePoint files were also at risk. All it required was one click on a link to a real microsoft.com address.
Microsoft fixed this. No customer action is needed. But the reason this flaw could exist at all tells you something worth paying attention to. Enterprise AI risk sits somewhere most organisations have not yet looked.
Copilot Is Designed to See Everything. That Is the Problem.
Microsoft sells Copilot on its breadth. It searches your emails, files, calendar and meetings to surface what you need. That broad access is the product. It is also why a vulnerability in Copilot is different in kind from a flaw in a standalone document viewer. The difference is scope.
When Varonis demonstrated SearchLeak, the proof of concept was direct. It extracted MFA codes arriving in the victim’s inbox. It pulled salary documents from SharePoint and acquisition plans from OneDrive. Meeting notes from calendar entries were also reachable. The attacker did not need any of the victim’s credentials. They needed a link in an email and a standard Enterprise Search account.
The attack chain is worth understanding. Copilot Enterprise Search passes the q URL parameter straight to the AI as an instruction. It is not treated as a plain search term. An attacker who controls that parameter can tell Copilot to search the victim’s mailbox. The results get embedded in an outbound image request. A race condition in Microsoft’s response sanitiser means injected HTML fires before protection kicks in. Microsoft’s content security policy allowlists Bing. The attack then uses Bing’s image search endpoint to receive the stolen data server-side. BleepingComputer put it plainly: Bing becomes an unwitting exfiltration proxy.
What the Microsoft Copilot Vulnerability Tells Us About AI Risk
SearchLeak is not a one-off. The class of attack it represents, attacker-controlled input interpreted as AI instructions, has been documented since at least 2023. What changes with enterprise AI assistants is the blast radius.
Older prompt injection attacks targeted chatbots with limited access. Copilot has access to everything in a user’s tenant. Every AI assistant that reaches into corporate email and file stores raises the stakes of this class of flaw.
Microsoft has already signalled that AI agents will hold full organisational identities, with access to corporate systems and sensitive data. That direction makes getting input handling right more important now, not later.
This is also not unique to Microsoft. Google Workspace AI features and Salesforce Einstein sit in the same risk category. So does any tool that passes user-controlled text to an AI. The risk applies whenever the AI’s output is then rendered in a browser. The vendors who get this right will treat AI input with the same rigour they apply to SQL queries and shell commands.
What Defenders Should Take From This
Patch compliance says this Microsoft Copilot vulnerability (CVE-2026-42824) is closed, and it is. That is not the end of the analysis.
First, scope what Copilot can see. Many organisations deployed it with minimal settings. That means Copilot inherits the user’s full permissions, including files and emails not accessed in years. Microsoft’s sensitivity labels and SharePoint access controls let you narrow that index. Doing so cuts exposure from this class of flaw a great deal.
Second, include AI platforms in your next penetration test. The attack surface for enterprise AI tools differs from traditional web applications, but the core questions are the same. Does the application trust user-controlled input it should not? Does it render attacker-supplied content in a privileged context? A pen tester who knows where to look can answer those questions before a researcher publishes a paper about it.
Third, treat Copilot as a high-value target in your threat model, not as productivity software. An attacker who reaches Copilot and influences its inputs gets access to a search index. That index spans your organisation’s most sensitive data. This changes the calculus for both phishing triage and access control reviews.
This Microsoft Copilot vulnerability is patched. The underlying dynamic, AI tools with broad access sitting inside phishing reach, is not going anywhere.
