One-click Microsoft 365 Copilot SearchLeak flaw
🔎 Researchers at Varonis chained three bugs into a one-click exfiltration path dubbed SearchLeak that could have pulled emails, calendar entries, and indexed files from Microsoft 365 Copilot Enterprise Search. Because the malicious link used a legitimate microsoft.com domain, URL filters and anti-phishing tools were unlikely to block it. Microsoft assigned CVE-2026-42824, mitigated the issue on its backend, and Varonis released a proof-of-concept without observed exploitation.
