One-Click Microsoft 365 Copilot Flaw Could Have Let Attackers Steal Emails, Files, MFA…

VentureBeat

Researchers at Varonis Threat Labs disclosed SearchLeak (CVE-2026-42824), a critical vulnerability in Microsoft 365 Copilot Enterprise Search that allowed one-click exfiltration of emails, calendar data, and files. The attack chained three bugs including parameter-to-prompt injection and a race condition, bypassing CSP. Microsoft has patched the flaw server-side with no evidence of exploitation.

Copilotsearchleak

See 5 more sources

One-Click Microsoft 365 Copilot Flaw Could Have Let Attackers Steal Emails, Files, and MFA Codes6 days ago

Microsoft Copilot Cowork Exfiltrates Files26 days agoSimon Willison

Copilot Cowork is now generally available worldwide, now with multi-model support! Every...5 days agoSatya Nadella

Copilot 'SearchLeak' Attack Allows 1-Click Data Theft6 days agoAlexander Culafi

Critical Copilot vulnerability allowed hackers to seal 2FA code from users5 days agoDan Goodin

VentureBeat·Louis Columbus

Jun 18, 5:42 PM