How does the SearchLeak attack actually work?

Varonis's proof-of-concept chains together three weaknesses: (1) Copilot can be told to search Outlook for sensitive content via a manipulated prompt, (2) Copilot renders the response in a way that lets an attacker smuggle the search results into an outbound HTTP request, and (3) the trigger comes from a single click on a link pointing to a real Microsoft domain — no prompt, no password, no second confirmation. The result is that the AI assistant becomes the exfiltration channel: it reads 2FA codes from your inbox and ships them to the attacker without you typing anything.

Is SearchLeak patched and what should enterprises do?

Yes — Microsoft patched SearchLeak before public disclosure in June 2026. Enterprises should still: (1) confirm the patch is rolled out across all M365 Copilot deployments, (2) review Copilot audit logs for the indicators Varonis published, (3) treat 2FA codes in email as transient and consider migrating MFA to dedicated authenticator apps rather than SMS/email codes, and (4) apply the same threat model to other AI assistants that have Outlook/Drive/Sharepoint read access: Gemini for Workspace, Claude for Microsoft Office, and ChatGPT Atlas all have similar attack surfaces.

Why does SearchLeak matter beyond Microsoft Copilot?

Because the underlying pattern — AI assistant with broad read access + rendering channel that leaks data + a single trusted-domain click — is structural to every enterprise AI assistant in 2026. SearchLeak is the third major Copilot data-exfil flaw class disclosed in 12 months. As more organizations grant agentic AI access to email, files, and code repos, this attack surface grows. Expect more SearchLeak-class CVEs against Gemini, Claude, and ChatGPT enterprise products in H2 2026. The defensive lesson: scope AI assistant permissions aggressively, audit rendering channels, and assume every assistant with email access can be coerced into reading 2FA codes.

Quick Answer

What is SearchLeak (CVE-2026-42824)? Microsoft Copilot Flaw

Q: What is SearchLeak (CVE-2026-42824)?

SearchLeak is a critical vulnerability chain in Microsoft 365 Copilot, disclosed by Varonis Threat Labs in mid-June 2026 and tracked as CVE-2026-42824. With a single click on a link pointing to a legitimate Microsoft domain, an attacker could coerce Copilot into reading sensitive Outlook content — including emails, attachments, files, and two-factor authentication (MFA) codes — and exfiltrating them to an attacker-controlled endpoint. Microsoft assigned the CVE 'critical' severity; CVSS scoring diverged with Microsoft rating it 6.5 and the National Vulnerability Database rating it 7.5. Microsoft has since patched the issue.

Published: June 20, 2026

What is SearchLeak (CVE-2026-42824)? Microsoft Copilot Flaw

SearchLeak is a one-click Microsoft 365 Copilot vulnerability disclosed by Varonis Threat Labs in mid-June 2026 and tracked as CVE-2026-42824. It let an attacker exfiltrate emails, attachments, files, and 2FA codes from a Microsoft 365 tenant — triggered by nothing more than a single click on a link pointing to a real Microsoft domain. Microsoft has patched it.

Last verified: June 20, 2026. Microsoft Copilot patch shipped before public disclosure.

TL;DR

What it is: CVE-2026-42824, named SearchLeak, a one-click data exfiltration chain in Microsoft 365 Copilot.
Who found it: Varonis Threat Labs, disclosed June 2026.
Severity: Microsoft scored it CVSS 6.5; the NVD scored it 7.5 (critical).
What it leaks: Outlook emails, attachments, files, and two-factor authentication (MFA) codes sent to email.
The trigger: A single click on a link pointing to a legitimate Microsoft domain — no prompt, no password, no second confirmation.
Status: Patched by Microsoft before public disclosure.

How SearchLeak works (the attack chain)

SearchLeak is interesting because it doesn’t require malware, a compromised account, or a phishing site. It’s a pure abuse-of-trust chain against an AI assistant that has been granted Outlook + Files read access.

The victim clicks a link pointing to a legitimate Microsoft domain — the kind of link enterprise users click dozens of times a day.
The link triggers a prompt to Microsoft 365 Copilot. The prompt instructs Copilot to search the victim’s Outlook for sensitive content: emails containing the phrase “verification code,” password reset emails, MFA notifications, sensitive attachments.
Copilot returns the results — including 2FA codes — but Varonis found a flaw in how Copilot renders its responses that allowed the search results to be smuggled into an outbound HTTP request to an attacker-controlled endpoint.
The attacker receives the data without the victim seeing anything suspicious. No prompt, no second click, no obvious indicator that the AI assistant just leaked their inbox.

Why SearchLeak is a big deal

Every enterprise AI assistant in 2026 has the same three-part architecture: (1) broad read access to corporate data, (2) a prompt-execution layer, and (3) a rendering channel that returns results to the user. SearchLeak shows that all three can be chained together as an exfiltration pipeline — and that the entry point can be as innocuous as a single click on a Microsoft.com URL.

This is the third major Copilot data-exfil class disclosed in 12 months (after EchoLeak in 2025 and the Copilot Studio MCP confused-deputy class earlier in 2026). The pattern is structural, not specific to Microsoft. Expect equivalent classes against Gemini for Workspace, Claude for Microsoft Office, and ChatGPT Atlas in the next 6-12 months.

Comparison: SearchLeak vs prior Copilot CVEs

Attribute	SearchLeak (June 2026)	EchoLeak (2025)	Copilot Studio MCP confused-deputy (Feb 2026)
Type	Data exfiltration via rendering channel	Data exfiltration via prompt-injected URL	Cross-tenant action confusion
Trigger	One click on Microsoft.com URL	Email-based prompt injection	Tool-call routing flaw
What leaks	Emails, files, 2FA codes	Email content	Cross-tenant tool actions
CVE	2026-42824	(Varonis EchoLeak)	(Microsoft internal)
Discoverer	Varonis Threat Labs	Aim Labs	Internal + external chained
Patch status	Patched June 2026	Patched 2025	Patched Feb-March 2026

What enterprises should do now

Confirm the patch. Microsoft pushed the fix before disclosure, but enterprise admins should confirm it has propagated across all M365 tenants and check the Microsoft Security Response Center advisory for the exact rollout window.
Audit Copilot logs. Review M365 audit logs for the Varonis IOCs (indicators of compromise) for the disclosure window. If your tenant was attacked between vuln-discovery and patch, the audit logs should show the search patterns.
Migrate 2FA off email. Email-delivered MFA codes are now structurally weaker than dedicated authenticator apps. Microsoft Authenticator, Authy, 1Password, and hardware keys all avoid the attack class entirely.
Scope Copilot permissions. The most aggressive defense is “Copilot doesn’t have inbox access.” For highly sensitive teams (security, M&A, legal), consider revoking Copilot Outlook permissions until your detection coverage matches the attack rate.
Apply the threat model to peer assistants. Gemini for Workspace, Claude for Microsoft Office, and ChatGPT Atlas have the same architecture. Ask each vendor about rendering-channel hardening, treat the answers skeptically, and prefer assistants that scope read access to query-specific results.

Why SearchLeak fits a bigger 2026 pattern

The 2026 AI security landscape is dominated by attacks that exploit trust placement rather than code execution. SearchLeak is one class. WARP — Cornell Tech’s Web Agent Retrieval Poisoning attack disclosed the same week — is another (a 13-word Reddit comment can steer ChatGPT Deep Research and Gemini’s deep research agent into scam recommendations). Both attacks succeed because AI assistants treat external content as more authoritative than it deserves.

If you build with AI agents, the defensive posture for H2 2026 is: assume the rendering channel can exfiltrate, assume retrieved content can be poisoned, and scope every assistant’s permissions to the minimum the use case requires. SearchLeak is the version of that lesson with a CVE number.

Sources

Varonis Threat Labs disclosure: SearchLeak (June 2026)
The Hacker News: “One-Click Microsoft 365 Copilot Flaw Could Have Let Attackers Steal Emails, Files, and MFA Codes” (June 16, 2026)
Ars Technica: “Critical Copilot vulnerability allowed hackers to steal 2FA code from users” (June 18, 2026)
Mashable: “This Copilot vulnerability could expose emails, 2FA codes, and other sensitive data” (June 17, 2026)
CybersecurityNews: “Critical Microsoft 365 Copilot Vulnerability Allows Attackers to Steal Data in One Click” (June 15, 2026)
Microsoft Security Response Center: CVE-2026-42824

Published June 20, 2026 by andrew.ooo. We track AI security vulnerabilities as part of the AI infrastructure beat — see also our coverage of WARP retrieval poisoning and the AI agent attack landscape.