Microsoft has patched a severe vulnerability in Microsoft 365 Copilot that could have allowed attackers to extract sensitive data through a single click on a maliciously crafted Bing search result. The flaw, tracked as CVE-2026-42824 and dubbed "SearchLeak," was disclosed by Varonis Threat Labs in June 2026 after a coordinated disclosure process lasting several months. The patching followed Varonis's demonstration that Copilot Enterprise Search could be abused through a one-click attack to exfiltrate data from an organization's Microsoft 365 environment.

The vulnerability sat at the intersection of two powerful technologies: Microsoft 365 Copilot's deep integration with enterprise data and its reliance on Bing for web search results. When a user interacted with Copilot—asking it to summarize a document or find relevant emails—the AI assistant could also pull in information from the web if allowed. It was in this web enrichment path that Varonis researchers found a way to turn Copilot against its own organization.

The SearchLeak Attack Vector

Varonis Threat Labs discovered that an attacker could create a weaponized link on a Bing-indexed page. When a Copilot user clicked that link—or, in some scenarios, simply viewed a search result containing it—the browser would send a crafted request through Copilot's infrastructure. The request masqueraded as a legitimate Copilot query, instructing the AI to search across the user's Microsoft 365 data and send a summary to an attacker-controlled endpoint.

The attack relied on prompt injection, a well-known technique in large language model security. However, the novelty of CVE-2026-42824 was its one-click simplicity and the breadth of data accessible. Once exploited, an attacker could extract emails, Teams messages, SharePoint files, and even Outlook calendar entries—all without any additional user action beyond the initial click. The compromised Bing link acted as a silent trigger, exploiting the trust relationship between Copilot and Microsoft 365.

"This is not a theoretical risk," said Tal Peleg, senior security researcher at Varonis, in a statement accompanying the disclosure. "We built a proof of concept where a single click on a seemingly benign link resulted in a full dump of sensitive documents to an external server. The user never saw a prompt or warning."

The attack chain was particularly dangerous because it bypassed existing protections. Copilot's search feature defaulted to include web results, and many enterprises had not restricted this capability. Even when users were trained not to click suspicious links, the mere act of performing a Bing search within Copilot could surface the malicious result, and a click—whether intentional or accidental—was all it took.

How Copilot's Search Integration Amplified the Risk

Microsoft 365 Copilot is designed to break down silos between organizational data and the open web. A user asking "What's the latest on our Q3 strategy?" could receive a response that combines information from a SharePoint document with news articles pulled via Bing. This hybrid model improves productivity but also creates new attack surfaces.

In the case of CVE-2026-42824, the vulnerability stemmed from insufficient isolation between Copilot's query processing and the rendering of external search results. When Bing returned a link, Copilot would pre-process the link's metadata, often fetching the page title or snippet. By embedding a malicious prompt within the link's URL or the page's metadata, an attacker could inject instructions that Copilot interpreted as part of the user's original query.

Varonis demonstrated that the injected prompt could be camouflaged using URL parameters that appeared to be normal tracking codes. For example, a link like https://example.com?q=report&copilot_action=search could be parsed by Copilot into a command that scoured the user's OneDrive for files containing the word "report." The attacker's server, set up to receive the exfiltrated data, would then be fed the results.

Because the attack exploited the way Copilot handled external content, traditional web protections were bypassed. Secure web gateways and phishing filters saw only a click on a seemingly legitimate domain. Even advanced threat protection solutions could not inspect the bidirectional API calls between the user's browser and Copilot's backend without deep integration.

Microsoft's Response and Patch

Microsoft assigned the flaw a severity of Critical, with a CVSS score of 9.1. The company released a patch on June 9, 2026, as part of its monthly security update for Microsoft 365 services. The fix introduces stricter validation of URLs embedded in Bing search results handled by Copilot, effectively sandboxing any injected instructions. Additionally, Copilot now displays a confirmation prompt whenever it is about to perform a search across organizational data that was triggered by an external link—a break-glass measure to prevent silent exfiltration.

"We have thoroughly investigated this technique and implemented a layered defense to protect customers," a Microsoft spokesperson said in the advisory. "We are not aware of any active attacks in the wild, but we urge all organizations to apply the update immediately."

The patch also includes changes to Bing's search engine backend. Web pages can no longer use certain meta tags or URL structures that could influence Copilot's behavior. This cross-product collaboration closed the loophole from both the client and server sides.

Despite the fix, Varonis noted that the underlying architectural trust between LLM-based assistants and external data remains a broader industry challenge. "SearchLeak is a wake-up call for every enterprise using AI tools that integrate web search," the Varonis report concluded.

What You Should Do Now

For IT administrators, the immediate step is to ensure all Microsoft 365 services are updated. The patch is deployed automatically for cloud-only customers, but hybrid environments may require manual intervention. Microsoft has released KB5032102 for on-premises components that interface with Copilot, though the core fix is in the cloud service.

Beyond patching, organizations should review their Copilot configuration. The Microsoft 365 admin center now offers a policy to disable web result integration entirely or to restrict it to a list of trusted domains. For highly sensitive environments, disabling the feature may be prudent until a thorough risk assessment is completed.

Security teams should also look for indicators of compromise. Varonis shared a set of IoCs, including specific URL patterns and user-agent strings. Although no active exploitation has been confirmed, proactive logging analysis is recommended. The key is to monitor for abnormal volumes of data being sent to external endpoints via Copilot-related API calls.

Longer term, this incident underscores the necessity of applying zero-trust principles to AI assistants. Just as organizations segment networks and enforce least-privilege access, they must now segment the data accessible to Copilot. Role-based access controls in Microsoft 365 can limit what Copilot can retrieve, even if a prompt injection succeeds.

The SearchLeak vulnerability also highlights the importance of responsible disclosure. Varonis worked silently with Microsoft for over three months, providing regular proof-of-concept updates and testing beta patches. That partnership resulted in a fix that was ready before any public discussion, minimizing the window of exploitation.

As AI copilots become more deeply embedded in enterprise workflows, the attack surface will only grow. CVE-2026-42824 may be patched, but the lessons it teaches about prompt injection, external content isolation, and one-click exploits will shape security discussions for years to come.