Microsoft patched a critical vulnerability, tracked as CVE-2026-42824 and dubbed “SearchLeak,” that allowed attackers to extract 2FA codes and sensitive data from M365 Copilot with a single user click. Discovered by Dolev Taler of Varonis Threat Labs, the flaw exploited AI retrieval-layer permissions to bypass security controls. While no in-the-wild exploitation has been confirmed, the incident highlights the risks of AI agents inheriting broad enterprise user permissions.
How SearchLeak Bypassed Enterprise Security
The SearchLeak vulnerability functioned by weaponizing the way AI assistants interact with private enterprise data. According to Varonis Threat Labs, the attack utilized indirect prompt injection, where malicious instructions were embedded directly into a URL rather than requiring a user to type a prompt. By clicking a compromised link, a user inadvertently triggered Copilot to scan their inbox or files and exfiltrate information.
The attack chain relied on three distinct technical components:
- Parameter-to-prompt injection: Attackers embedded commands into URL structures.
- HTML streaming race condition: Data was extracted before internal security protocols could flag the activity.
- CSP bypass: The attack leveraged a Bing-related server-side request forgery (SSRF) to transmit stolen data to external servers.
Why Microsoft Classified the Flaw as “Critical”
Microsoft assigned a “critical” severity rating to the vulnerability, despite its CVSS score of 6.5, which is typically categorized as medium. Security researchers note this discrepancy exists because Microsoft’s internal assessment prioritizes business impact over pure technical exploitability. Because the vulnerability allowed for potential account takeovers—including the theft of 2FA codes—Microsoft determined the risk to enterprise-wide security systems was severe enough to warrant the highest designation.
The Future of AI Retrieval-Layer Security
SearchLeak marks a shift in threat modeling: moving away from traditional malware toward attacks targeting the AI retrieval layer. As organizations integrate LLMs into deeper workflows, the principle of least-privilege access becomes the primary defense. Unlike standard malware, retrieval-layer attacks mimic legitimate user activity, making them difficult to detect without granular logging.
Security teams should anticipate that AI agents will increasingly become targets for “permission inheritance” attacks. If an AI assistant has access to the same folders and mailboxes as a high-level executive, that agent essentially holds the keys to that executive’s data footprint.
How to Protect Your Organization
To mitigate risks associated with AI retrieval, enterprises must move beyond standard Data Loss Prevention (DLP) policies. According to recommendations from the discovery team at Varonis, organizations should:
- Tighten DLP configurations: Map data protection policies specifically to the capabilities of your AI assistants.
- Conduct Permission Audits: Regularly review what sensitive data (such as SharePoint sites or OneDrive folders) is indexed by AI agents.
- Monitor AI Activity: Implement logging that flags unusual patterns in how agents access sensitive communication channels like Outlook or Teams.
Frequently Asked Questions
Was my data compromised by SearchLeak?
Microsoft patched the vulnerability on the backend on June 4, 2026. There have been no confirmed reports of in-the-wild exploitation, meaning your data was likely not accessed through this specific flaw.
Does this vulnerability affect Copilot Personal?
While Copilot Enterprise users were the primary focus, Microsoft has not ruled out risks to Copilot Business Chat or Copilot Personal. Organizations should treat all AI integrations as potential data access points.
Are traditional antivirus tools enough to stop these attacks?
No. SearchLeak exploited the AI’s legitimate permission structure, not a software virus. Protection requires governance over data access and AI-specific permission audits.
Are you auditing your AI permissions as part of your Q3 security review? Share your thoughts on balancing AI productivity with enterprise governance in the comments below, or subscribe to our newsletter for more updates on AI security breakthroughs.
