One-Click Copilot Flaw Could Steal Emails

A single click on a trusted Microsoft link could let attackers steal emails, files, and MFA codes from Microsoft 365 Copilot Enterprise Search. Researchers at Varonis Threat Labs chained three bugs into a one-click exfiltration path called SearchLeak. Microsoft assigned CVE-2026-42824 and mitigated the flaw on its backend.