New attack turned Microsoft 365 Copilot into 1-click data theft tool
Summary
SearchLeak is a critical vulnerability in Microsoft 365 Copilot Enterprise that allowed attackers to steal sensitive data like emails, passwords, and documents through a single malicious link. The attack worked by chaining three separate flaws together: parameter-to-prompt injection (tricking the AI by hiding instructions in a URL parameter), an HTML rendering race condition (exploiting a moment when HTML isn't yet protected), and a server-side request forgery in Bing (making Bing unknowingly help retrieve stolen data). Microsoft fixed this vulnerability and assigned it CVE-2026-42824 with a critical severity rating.
Solution / Mitigation
Microsoft addressed SearchLeak at the beginning of the month. With Microsoft having fixed CVE-2026-42824, there's no user action required to mitigate this threat.
Classification
Affected Vendors
Related Issues
CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive
CVE-2026-30308: In its design for automatic terminal command execution, HAI Build Code Generator offers two options: Execute safe comman
Original source: https://www.bleepingcomputer.com/news/security/new-attack-turned-microsoft-365-copilot-into-1-click-data-theft-tool/
First tracked: June 15, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 95%