New Attack Turned Microsoft 365 Copilot Into 1-Click Data Theft Tool

The discovery of SearchLeak shines a spotlight on the evolving security challenges posed by generative AI integrations in enterprise software. While Microsoft 365 Copilot promises streamlined access to corporate data, the feature’s reliance on natural‑language prompts creates a novel injection vector. By manipulating the ‘q’ parameter, attackers can instruct Copilot to query a user’s mailbox and embed results in an image tag, turning a benign search into a covert data‑exfiltration channel. This blend of AI prompt engineering with traditional web vulnerabilities illustrates how legacy bugs gain new potency when paired with large‑language‑model interfaces.

Technically, the chain hinges on three distinct flaws. First, a parameter‑to‑prompt injection lets a malicious URL dictate Copilot’s search behavior. Second, a race condition in the browser’s HTML rendering temporarily exposes raw output before it is safely wrapped, allowing attacker‑controlled markup to execute. Finally, a Bing server‑side request forgery bypasses content‑security‑policy restrictions, using Bing’s image‑search service as an unwitting proxy to deliver stolen data to the attacker’s server. Each component alone would be low‑risk, but their orchestration produces a one‑click theft mechanism that can siphon emails, documents, and calendar details without user awareness.

Microsoft’s rapid patch of CVE‑2026‑42824 mitigates the immediate threat, yet the incident serves as a cautionary tale for AI‑enhanced products. Enterprises should audit prompt‑driven features for injection risks, enforce strict CSP policies, and monitor outbound traffic from AI services. As AI becomes more embedded in productivity suites, security teams must adapt threat models to account for hybrid attacks that fuse classic web exploits with generative‑AI capabilities, ensuring that the convenience of tools like Copilot does not come at the expense of data confidentiality.