One-click vulnerability in Microsoft 365 Copilot: email, file and MFA-code leakage (SearchLeak)

Colleagues, please note a cybersecurity incident. Varonis researchers discovered a three-bug chain in Copilot Enterprise Search — "SearchLeak".
- What: one-click exploit can extract email subjects, files and one-time MFA codes without user interaction.
- How: q-parameter injection, race against output sanitization, and CSP bypass via server-side Bing requests (Bing used as proxy).
- Status: Microsoft issued CVE-2026-42824 and deployed a backend fix; PoC published, no active exploitation recorded.
Why it matters: access extends to anything Copilot indexes via Microsoft Graph, including OTPs and documents.
What mitigations do you recommend?
#cybersecurity #Microsoft365 #Copilot #infosec


Latest comments
No comments yet.