One Click. That's All It Took to Steal Emails from Microsoft Copilot.
A vulnerability in Microsoft 365 Copilot Enterprise let attackers exfiltrate emails, files, and MFA codes with a single link click. It's patched, but the lesson isn't about the patch.
Earlier this month, Varonis Threat Labs published details on a vulnerability chain they named SearchLeak (CVE-2026-42824). Microsoft rated it critical and patched it. But the attack itself tells you something important about what Copilot actually is and what happens when you don’t configure your environment before turning it on.
What SearchLeak did
The attack worked in three stages, chaining together one AI-specific vulnerability with two old-school web bugs:
Stage 1: The URL becomes a command. Copilot Enterprise Search accepts a search query in the URL. Varonis found that whatever you put in that URL parameter gets interpreted by Copilot’s AI engine as instructions, not just as a search string. An attacker could craft a link that tells Copilot to search the victim’s mailbox and embed results in an outbound request.
Stage 2: The guardrail loses the race. Microsoft wraps Copilot’s output in code blocks to prevent raw HTML from rendering. But the wrapping happens after Copilot finishes generating. While the response is still streaming, the browser renders the HTML in real time. An image tag fires before the sanitizer kicks in. By the time the guardrail activates, the request has already left.
Stage 3: Bing becomes the getaway car. The image request points to Bing’s “search by image” feature, which is allowlisted in Copilot’s security policy. Bing’s backend then fetches the attacker’s server to analyze the “image,” carrying the stolen data in the URL path. Bing becomes an unwitting proxy for exfiltration, and the browser’s content security policy never fires because the request goes to a trusted Microsoft domain.
The full sequence: victim clicks a link on a trusted Microsoft domain, Copilot searches their mailbox, calendar, SharePoint, and OneDrive, and the results end up on the attacker’s server. No plugins. No special permissions. No second click. The victim sees Copilot “thinking” for a moment and that’s it.
What could be stolen
Because Copilot Enterprise runs with the user’s full Microsoft Graph permissions, the attacker inherits whatever access the victim has. Varonis demonstrated exfiltration of:
- Email subject lines and content (including security codes, OTPs, and password reset links)
- MFA/2FA codes for other services
- Meeting details (attendees, agendas, notes)
- SharePoint documents and OneDrive files indexed by Copilot
- Sensitive communication metadata
One click. One link to a microsoft.com domain. And traditional anti-phishing tools wouldn’t flag it because the URL is legitimate.
Why this matters beyond the patch
Microsoft patched SearchLeak, so the specific exploit chain is closed. But “update and move on” misses the point. What SearchLeak exposed is architectural.
Copilot operates with your permissions. It can see every email you can see, every file you have access to, every meeting on your calendar. That’s the whole point. It’s useful because it has broad access to your data. But broad access means that any vulnerability in Copilot’s processing pipeline becomes a vulnerability in your entire information environment.
This is different from a flaw in, say, Excel. A bug in Excel affects the spreadsheet you’re working on. A bug in Copilot potentially affects everything in your Microsoft 365 tenant that the user can reach.
For a law firm or CPA firm, that’s client files, privileged communications, financial records, tax returns, engagement letters. Everything stored in M365 is within Copilot’s reach if the user has access to it.
The configuration problem
SearchLeak exploited Copilot as-shipped. The victim didn’t misconfigure anything. But the blast radius of the attack depended entirely on what Copilot could see, and that’s where configuration matters.
Most firms we talk to have some version of the same problem: permissions have accumulated over years. Former client folders are still accessible. Shared drives give everyone access to everything. Sensitivity labels either don’t exist or aren’t applied consistently. Nobody has audited what Copilot would actually see if it searched across a user’s full access.
This is why we keep saying Copilot deployment is a configuration decision, not a licensing decision. The license flips the switch. What happens next depends on what your environment looks like when that switch gets flipped.
With new bundled Copilot SKUs going live July 1, more firms are buying into Copilot. The licensing decision is getting easier. The configuration work before deployment hasn’t changed.
What to do about it
Varonis published specific defensive recommendations. Here’s what matters for a professional services firm.
Review SharePoint and OneDrive permissions before you enable Copilot. Look for overly broad sharing, folders accessible to “everyone,” and files that should have been restricted years ago. Copilot will search whatever the user can reach.
Configure sensitivity labels in Microsoft Purview for confidential client data. Copilot respects them. If you haven’t set them up, Copilot has no way to distinguish between a public announcement and a client’s financial records.
Monitor Copilot Enterprise Search for unusual query patterns, particularly encoded payloads in URL parameters. The specific SearchLeak vector is patched, but prompt injection via URL parameters as an attack category isn’t going away.
Review your content security policy allowlists. Any allowlisted domain that performs server-side fetches on user-supplied URLs is a potential exfiltration channel. This applies to any AI tool with web access, not just Copilot.
And have the conversation with your team. SearchLeak is a concrete example you can point to when explaining why AI tools need governance. A researcher demonstrated it, Microsoft rated it critical, and the only reason it didn’t become a mass-exploitation event is that the security research community found it first.
Artech Solutions helps law firms and CPA firms in the Des Moines metro deploy Microsoft 365 and Copilot with proper data governance, access controls, and security configuration. If you’re considering the new bundled Copilot plans or already have Copilot in your tenant, let’s make sure your environment is ready.