TECH NEWS

A single click on a Microsoft link could have drained your inbox. Here’s how SearchLeak worked.

https://media.thenextweb.com/2026/06/microsoft-365-copilot-searchleak-one-click-data-exfiltration.avif

TL;DR

Varonis found three chained bugs in Microsoft 365 Copilot Enterprise Search that let an attacker steal data with one click on a microsoft.com link.

Security researchers at Varonis Threat Labs have disclosed a vulnerability chain in Microsoft 365 Copilot Enterprise Search that could have let an attacker steal emails, calendar entries, and indexed files with a single click. The attack, which Varonis calls SearchLeak, worked through a crafted URL on a legitimate microsoft.com domain, meaning traditional anti-phishing and URL filtering tools were unlikely to flag it. Microsoft assigned CVE-2026-42824 on June 4 and rated it critical under its own severity system, though the CVSS v3.1 base score came in at 6.5, a medium rating.

The victim never typed a prompt, entered a password, or clicked a second time. Varonis researcher Dolev Taler, who is credited in Microsoft’s advisory, demonstrated the attack as a proof of concept. Microsoft mitigated the...

Copyright of this story solely belongs to thenextweb.com. To see the full text click HERE

Read more