Security researchers have shown how Microsoft 365 Copilot could be turned into an unusually sneaky corporate data theft tool, chaining together AI search behavior, browser quirks, and Bing image search to exfiltrate sensitive information. Microsoft has already patched the issue and assigned it CVE-2026-42824, a critical flaw that was part of a broader attack path called SearchLeak.
The trick worked against Microsoft Copilot Enterprise Search, not the consumer version. That matters because the enterprise product can search across email, meeting notes, SharePoint files, and OneDrive content, which gives an attacker a much richer pool of material to target. In other words, the same feature that makes the assistant useful inside a company also makes it an attractive target for abuse.
How SearchLeak hijacked Microsoft 365 Copilot prompts
The attack started with a link sent to a victim. Inside the link, a malicious instruction was hidden in a ”q” parameter, telling Copilot to look for restricted corporate data and place it into an image address controlled by the attacker. One click was enough to set the chain in motion, and Copilot did the rest.
The clever part was the delivery mechanism. The stolen data was embedded in an tag so that the browser would eventually process it, and Bing image search was used as a proxy to help avoid simple blocks. That gave the attacker a way to route the data out without the victim seeing an obvious warning screen or a suspicious download prompt.
Why Bing ended up in the middle
Using a Microsoft service as the relay is the sort of move that makes defenders wince and attackers smile. It also fits a broader pattern in AI security: the weakest point is often not the model itself, but the way browsers, connectors, and web services are stitched together around it. That has already become a familiar headache for enterprises adopting AI assistants at scale.
- Vulnerability: CVE-2026-42824
- Threat level: critical
- Targeted product: Microsoft Copilot Enterprise Search
- Data sources: email, meetings, SharePoint, and OneDrive
Microsoft patched the flaw already
There is no action required from users, because Microsoft has already fixed the flaw. That leaves the bigger question hanging over enterprise AI: as assistants become more deeply wired into internal data, how many more ”helpful” features will need to be treated like potential exfiltration paths before security teams catch up?