SearchLeak Shows Why Classic Bugs Are Deadlier Than Ever in the AI Era

There is a new vulnerability in Microsoft 365 Copilot Enterprise called SearchLeak, and on its own it is the kind of finding that generates a CVE, a Microsoft blog post, and a few security team ticket updates. But the architecture of the attack tells a bigger story about what happens when prompt injection meets the old bug classes that security teams have been wrestling with for decades.

SearchLeak chains three separate weaknesses into a silent data exfiltration pipeline. The first is a parameter-to-prompt injection: the search q parameter in Copilot Enterprise Search passes user input directly into the AI engine, treating it as both a search query and executable instructions. Unlike the regular Copilot chat feature, Enterprise Search is designed to pull from company data — emails, SharePoint files, OneDrive documents — so an injected prompt can surface anything the victim user has access to. The second weakness is an HTML rendering race condition: during Copilot's streaming response phase, raw HTML renders in the browser DOM before the output sanitizer wraps everything in neutralized <code> blocks. An attacker-controlled <img> tag fires during that narrow window. The third is an SSRF hiding behind Bing's "Search by Image" feature, which is allowlisted in the Content Security Policy and makes server-side requests to arbitrary URLs. Put together, a victim clicks a crafted link, Copilot searches their mailbox and OneDrive, embeds the extracted data in an image URL, and Bing unknowingly delivers it to the attacker's server. No credentials stolen. No MFA bypassed. Just data walking out the front door because the doorbell now takes voice commands.

Source image 1

What makes SearchLeak worth more than a routine CVE write-up is the meta-pattern. The individual vulnerabilities — prompt injection, HTML race conditions, SSRF — have been around for years. They are not new. What is new is the context that makes them lethal in combination. In a traditional web application, an SSRF might let you scan internal ports or read a local config file. In Copilot Enterprise, that same SSRF becomes a data exfiltration channel because the AI engine sits on top of the user's entire organization and can be instructed to format and embed any content it finds. The old bugs didn't get worse; the attack surface around them got infinitely more dangerous because AI systems now have access to everything a human user does, and they follow prompts without the situational awareness t

Source image 2

o know when a prompt is asking them to do something inappropriate. Varonis notes this follows their earlier discovery of Reprompt, a similar vulnerability in Copilot Personal, suggesting this is not an isolated edge case but a class of problems that will keep surfacing as AI gets wired deeper into enterprise workflows.

The practical implication for security teams is that prompt injection is becoming the new command injection — not in the sense that it is equally common, but in the sense that it is the old principle of unvalidated input meeting a new execution context. Microsoft has already remediated CVE-2026-42824, so no patching is needed for end users. But the question that lingers is whether the guardrails being built into enterprise AI search are actually stopping prompt injection, or just raising the bar enough that casual attackers give up. Because SearchLeak shows, you only need one guardrail to slip to turn a trusted domain link into a one-click data heist.

Sources

• SearchLeak: How We Turned M365 Copilot Into a One-Click Data Exfiltration Weapon — Varonis Threat Labs
• New attack turned Microsoft 365 Copilot into 1-click data theft tool — BleepingComputer
• CVE-2026-42824: M365 Copilot Information Disclosure Vulnerability — Microsoft MSRC