{"data":{"id":"690c37c2-b5d5-4ffe-8253-525d9afa7378","title":"New attack turned Microsoft 365 Copilot into 1-click data theft tool","summary":"SearchLeak is a critical vulnerability in Microsoft 365 Copilot Enterprise that allowed attackers to steal sensitive data like emails, passwords, and documents through a single malicious link. The attack worked by chaining three separate flaws together: parameter-to-prompt injection (tricking the AI by hiding instructions in a URL parameter), an HTML rendering race condition (exploiting a moment when HTML isn't yet protected), and a server-side request forgery in Bing (making Bing unknowingly help retrieve stolen data). Microsoft fixed this vulnerability and assigned it CVE-2026-42824 with a critical severity rating.","solution":"Microsoft addressed SearchLeak at the beginning of the month. With Microsoft having fixed CVE-2026-42824, there's no user action required to mitigate this threat.","labels":["security"],"sourceUrl":"https://www.bleepingcomputer.com/news/security/new-attack-turned-microsoft-365-copilot-into-1-click-data-theft-tool/","publishedAt":"2026-06-15T13:00:00.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":null,"severity":"critical","attackType":["prompt_injection","data_extraction"],"issueType":"news","affectedPackages":null,"affectedVendors":["Microsoft"],"affectedVendorsRaw":["Microsoft 365 Copilot","Microsoft Copilot Enterprise Search","Bing"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":null,"disclosureDate":"2026-06-15T13:00:00.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"advanced","impactType":["confidentiality","integrity"],"aiComponentTargeted":"api","llmSpecific":true,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}