# Critical Flaw in Microsoft 365 Copilot Could Allow Data Exfiltration *Published June 17, 2026* *Source: [https://www.thehackernews.com/2026/06/one-click-microsoft-365-copilot-flaw.html](https://www.thehackernews.com/2026/06/one-click-microsoft-365-copilot-flaw.html)* ## Executive Summary A critical vulnerability in Microsoft 365 Copilot allowed potential data exfiltration through trusted links, bypassing traditional security measures. Microsoft has mitigated the flaw, but organizations must continue to monitor and restrict data access to prevent future breaches. ## Article A significant flaw in Microsoft 365 Copilot Enterprise Search has been uncovered that could allow attackers to exfiltrate sensitive data with just one click. Researchers at Varonis Threat Labs identified a vulnerability, dubbed SearchLeak, that exploits three chained bugs. These vulnerabilities enable data extraction through a trusted Microsoft link, avoiding detection by traditional anti-phishing tools. The flaw has been assigned CVE-2026-42824 and is marked critical by Microsoft, though the CVSS scores differ between Microsoft and the National Vulnerability Database. Microsoft has addressed the issue on its backend, and no active exploitation has been observed. The vulnerability involves a series of technical manipulations starting with the q parameter in the Copilot Enterprise Search URL. This parameter is intended for natural-language queries, but it can be exploited via a Parameter-to-Prompt injection. An attacker can craft a URL that instructs Copilot to search the user's mailbox and embed sensitive information in an image URL. The process involves a race condition where the browser renders the injected image tag before Microsoft’s guardrails can neutralize it. The final step in the chain bypasses the Content Security Policy by leveraging Bing's infrastructure to fetch the stolen data, effectively using Bing as an exfiltration proxy. The flaw could allow unauthorized access to emails, calendar details, and indexed files, highlighting the importance of vigilant monitoring and data governance. This vulnerability underscores the need for companies to implement strict access controls and monitoring systems. While Microsoft has mitigated the flaw, organizations should remain vigilant by monitoring for suspicious Copilot Search URLs and unusual outbound requests.