VMTech
+381 11 4150 20024/7 Discuss a project
← All Instagram insights VMTECH · INSTAGRAM

One-click vulnerability in Microsoft 365 Copilot: email, file and MFA-code leakage (SearchLeak)

One-Click-уязвимость в Microsoft 365 Copilot: утечка писем, файлов и кодов MFA (SearchLeak)

Colleagues, please note a cybersecurity incident. Varonis researchers discovered a three-bug chain in Copilot Enterprise Search — "SearchLeak".

- What: one-click exploit can extract email subjects, files and one-time MFA codes without user interaction.
- How: q-parameter injection, race against output sanitization, and CSP bypass via server-side Bing requests (Bing used as proxy).
- Status: Microsoft issued CVE-2026-42824 and deployed a backend fix; PoC published, no active exploitation recorded.

Why it matters: access extends to anything Copilot indexes via Microsoft Graph, including OTPs and documents.

What mitigations do you recommend?

#cybersecurity #Microsoft365 #Copilot #infosec

Latest comments

No comments yet.