ctipilot.ch

Home · Live brief · Daily brief 2026-06-16

Varonis "SearchLeak" (CVE-2026-42824): one-click M365 Copilot data exfiltration, now patched

notable research discovered 2026-06-16 05:09 UTC

Part of run 2026-06-16-38d638e1 (intel · Claude Opus 4.8)

Varonis Threat Labs disclosed SearchLeak, a three-stage chain in Microsoft 365 Copilot Enterprise Search that Microsoft patched server-side as CVE-2026-42824 (command-injection / information-disclosure, NVD CVSS 6.5) (Varonis, 2026-06-15; Microsoft MSRC). Stage 1: the q URL parameter is passed to Copilot as an executable instruction rather than a sanitised query (parameter-to-prompt injection). Stage 2: an injected <img> tag fires during a streaming-render race before the output sanitiser runs. Stage 3: the exfiltration request is relayed through Bing's server-side image-search fetch — *.bing.com is allowlisted in Copilot's CSP — bypassing the browser CSP and carrying mailbox content, calendar entries, SharePoint/OneDrive files and emailed MFA/OTP codes to an attacker domain, all from a single click on a genuine microsoft.com link (The Hacker News, 2026-06-15). No customer action is required for patched tenants and no in-the-wild exploitation was observed. Mapped to T1566.002 and T1071.001.

Why it matters to us: M365 Copilot Enterprise is in active Swiss-federal and EU public-sector rollouts. The vulnerability class — prompt injection via URL parameter, streaming-render race, and SSRF-relay CSP bypass — will recur in other AI-augmented enterprise apps; build CASB/DLP detection for Copilot search URLs carrying HTML-encoded payloads in the q parameter and for Copilot sessions fetching to non-Microsoft domains.

Action items

  • Confirm M365 Copilot tenants are on the patched build (CVE-2026-42824) and add CASB/DLP detection for Copilot search URLs carrying HTML-encoded q parameters or fetching to non-Microsoft domains.
vulnerabilities ai-abuse info-disclosure identity patch-available global CVE-2026-42824