A critical flaw in Microsoft 365 Copilot Enterprise let attackers silently exfiltrate emails and multi-factor authentication (MFA) codes simply by tricking users into interacting with a malicious link, security researchers at Varonis Threat Labs revealed on June 15, 2026. The vulnerability chain, dubbed SearchLeak and tracked as CVE-2026-42824, exposed the dark side of AI-powered productivity tools—showing how the very feature designed to help workers find information could be weaponized to steal it.

Microsoft has already patched the bug, urging all organizations to apply the June 2026 security updates immediately. But the findings are a stark reminder that every new AI integration widens the attack surface, especially when that AI has direct access to the crown jewels of enterprise data.

How SearchLeak Turned Copilot into a Data Thief

Microsoft 365 Copilot Enterprise is the premium AI assistant embedded across Office apps, Outlook, Teams, and SharePoint. Central to its utility is the ability to search across an organization’s entire Microsoft 365 tenant—emails, documents, meeting transcripts, and more—using natural language. It’s that very capability that Varonis exploited.

The SearchLeak attack chain, detailed in a technical report published alongside the disclosure, consisted of three stages: initial access via a crafted link, a prompt injection that hijacked Copilot’s context, and exfiltration of sensitive results to an attacker-controlled server.

An attacker would first distribute a seemingly innocuous link—placed in an email, a Teams message, or a SharePoint comment—that, when clicked by the victim, opened a browser to a legitimate-looking site. Unseen to the user, the link contained a specially crafted query parameter that triggered a background request to the Microsoft 365 Copilot endpoint, initiating a search. Because the user was already authenticated to Microsoft 365, Copilot would process the request under the victim’s own permissions, granting full access to their mailbox, OneDrive files, and any other data the assistant could normally reach.

But the real ingenuity lay in the second phase: a server-side prompt injection. The attacker’s website would redirect Copilot’s response, manipulating the assistant into returning the search results not to the user but to an external API controlled by the attacker. Varonis called this the “exfiltration loop.” In essence, Copilot was tricked into believing that the user wanted the data sent to a third-party service—similar to how a developer might use a custom plugin—and the mechanism was so seamless that no alert or unusual activity flag would fire.

What Data Was at Risk?

During their proof-of-concept, Varonis researchers were able to steal entire email threads, including attachments, from a target’s Outlook mailbox. The stolen content contained financial documents, internal strategy discussions, and even password reset links. Even more alarming was the extraction of MFA codes from the Microsoft Authenticator app—a feat made possible because Copilot can index Microsoft Authenticator notifications and codes when the app is linked to the same organizational account. Attackers could then use those codes in real-time to bypass multi-factor authentication and hijack the victim’s account.

“SearchLeak represents a perfect storm of trusted access and AI misdirection,” said Or Azarzar, Senior Security Researcher at Varonis Threat Labs, in the report. “Because the exfiltration occurs within the context of a legitimate Copilot session, traditional data loss prevention and cloud security tools are blind to it. It’s like the thief is dressed as the bank manager and has the keys to the vault.”

Microsoft’s Response and Patching

Microsoft assigned the vulnerability CVE-2026-42824 and rated it Critical with a CVSS score of 9.1. The company released a fix as part of its June 2026 Patch Tuesday updates on June 9, 2026, which addressed the core server-side parsing issue that allowed prompt injection and the broken link redirection. A subsequent update to Microsoft Defender for Cloud Apps and Defender for Office 365 added detection signatures for any retroactive exploitation attempts.

The advisory confirms that there were no indications of active exploitation in the wild prior to the patch, though Varonis noted that the techniques could have been weaponized months earlier. “We appreciate the professionalism of the Varonis team in following coordinated vulnerability disclosure principles,” a Microsoft spokesperson said. “We’ve applied the necessary safeguards and enhanced the AI’s context isolation to prevent such prompt manipulation in the future.”

Are You Protected? Immediate Steps for Admins

While the patch is the definitive fix, Varonis recommends several short-term actions for organizations that might have delayed June updates:

  • Apply the June 2026 security update to all Microsoft 365 services. No configuration changes are required; the patch is automatic for cloud instances.
  • Review Azure AD sign-in logs for anomalous Copilot-related activity, particularly unexpected external API calls from user locations during the past 60 days.
  • Turn on the new Microsoft 365 Copilot AI Security Dashboard (introduced in the June update) to monitor for prompt injection attempts.
  • Educate users about the dangers of clicking unsolicited links, even if they appear to come from internal services, and stress that Copilot should never ask to send data to external websites.

For hybrid environments that sync on-premises Exchange servers, IT teams should also apply the corresponding security update for Exchange Server 2019 and 2022—KB5002453—to prevent similar vector reuse.

The Bigger Picture: AI Assistants as a New Attack Frontier

SearchLeak is not an isolated incident. As Microsoft 365 Copilot, Google Workspace Duet, and similar generative AI tools become ubiquitous, attackers are increasingly looking at the connectors that feed these assistants your organization’s data. A 2025 study by the Ponemon Institute found that 68% of enterprises had experienced at least one security incident related to AI-powered workplace tools, up from 23% the year prior.

“The Copilot architecture essentially acts as a supercharged search engine for internal data,” said Dr. Jill Chen, a security researcher at MITRE. “If you compromise the prompts or the fetching mechanism, you have a direct line to everything that user can see. That’s a much more lucrative target than traditional phishing.”

Microsoft has responded by adding stronger sandboxing for Copilot requests and by default disabling certain high-risk integrations until an admin explicitly opts in. The company also announced it would double its investment in AI red teaming, expanding internal testing to simulate real-world attack chains like SearchLeak.

What This Means for Windows and Microsoft 365 Users

For everyday users and IT managers alike, SearchLeak is a wake-up call. The very productivity gains promised by Copilot hinge on its deep access to your emails, files, and calendars—making those same resources a single point of failure. Until now, many assumed that the closed nature of Office 365 and Azure AD would protect them. This vulnerability shows that AI prompt injection can sidestep those protections entirely.

“We’re going to see a lot more CVEs like this one as AI agents become more autonomous,” Azarzar added. “The industry needs to move toward zero-trust AI architectures, where the AI itself is treated as an untrusted interface and every data retrieval is explicitly authorized.”

Microsoft has already started heading in that direction. The June patch also introduced “AI Request Verification,” a feature that requires Copilot to present a user-facing confirmation dialog whenever it is about to send data to an external endpoint. Administrators can enforce this as a mandatory policy, which Varonis recommends for high-security environments.

Timeline of the SearchLeak Disclosure

  • February 3, 2026: Varonis Threat Labs discovers the vulnerability during a routine red team exercise.
  • February 10, 2026: Initial disclosure report submitted to Microsoft Security Response Center (MSRC).
  • March 2026: Microsoft reproduces the issue and begins developing a fix.
  • May 28, 2026: Preview fix deployed to select early-update tenants for validation.
  • June 9, 2026: Official security update released for all Microsoft 365 customers.
  • June 15, 2026: Varonis publishes its full technical breakdown, including detection guidance and post-patch best practices.

Staying Ahead of the Next Copilot-Style Attack

With the fix deployed, the immediate threat is neutralized. However, the techniques disclosed in the Varonis report will undoubtedly inspire copycat attacks against other AI assistants. Organizations should now assume that any employee-facing AI tool with access to internal data can be subverted unless rigorous prompt and response boundaries are enforced.

For additional technical details, including Indicators of Compromise (IOCs) and Snort rules, you can read the full Varonis blog post. Microsoft’s official advisory (CVE-2026-42824) contains the security update changelog and links to the necessary patches.

SearchLeak may be patched, but its legacy is a new era of AI vulnerability research—one that will force platform vendors to rethink how trust and context flow through every interaction.