SearchLeak turns Microsoft 365 Copilot into data theft tool

A vulnerability chain called SearchLeak in Microsoft 365 Copilot Enterprise lets attackers steal emails, calendar events, and documents via a crafted URL. Microsoft assigned CVE-2026-42824 with a critical severity rating. Varonis researchers chained three flaws including parameter-to-prompt injection and a Bing SSRF to enable the attack.