What Happened
Researchers at Varonis Threat Labs disclosed a now-patched vulnerability chain they named SearchLeak (CVE-2026-42824) in Microsoft 365 Copilot Enterprise Search. With a single click on a trusted Microsoft link, an attacker could direct Copilot to extract emails, calendar entries, SharePoint and OneDrive files, and live MFA one-time codes — then transmit that data to an attacker-controlled server without the victim knowing.
The attack chain combines three techniques. The first is Parameter-to-Prompt Injection (P2P), a relatively new AI-specific attack class where malicious instructions are embedded in parameters that Copilot processes as search queries. The second is an HTML injection race condition. The third is server-side request forgery (SSRF). Chained together, the attacker writes a URL that instructs Copilot to search the target’s mailbox, extract an email title, and embed it inside an image URL pointing to the attacker’s server. Copilot performs the action because it processes the crafted parameter as a legitimate instruction.
The most time-sensitive exposure involved live MFA one-time codes. Because the attack ran in seconds and OTP codes remain valid for a short window, a scripted follow-up could use a captured code to take over an account before the user notices anything. Microsoft assigned CVE-2026-42824 and mitigated the flaw on its backend — no customer action is required. Varonis observed no exploitation in the wild and coordinated disclosure with Microsoft before publication. The Hacker News
Why This Matters for Canadian Organizations
Microsoft 365 is deployed across virtually every sector of the Canadian economy, including federal and provincial government, financial services, healthcare, and education. Copilot for Microsoft 365 is now in active deployment at thousands of Canadian organisations, with adoption growing rapidly since Microsoft bundled it into enterprise licensing.
SearchLeak was patched before it was exploited, which is the best possible outcome. But the underlying attack class — prompt injection against enterprise AI tools — is not patched. Copilot’s ability to act on user data across the entire Microsoft 365 estate is exactly what makes it useful; it is also what makes prompt injection attacks against it disproportionately damaging. A future vulnerability of the same class in Copilot, or in a competitor AI assistant with similar data access, may not be caught before exploitation.
For Canadian organisations operating under OSFI Guideline B-13, the Copilot architecture — where an AI tool has read access to emails, files, and calendar data across an enterprise — represents a data access concentration risk that technology risk assessments should address explicitly. Under PIPEDA, the potential for exfiltration of personal data via an AI assistant engaged in workplace tasks raises questions about whether current data minimisation and access controls are adequate. The Canadian Centre for Cyber Security (CCCS) has flagged AI tool integration as an emerging attack surface in its threat advisories, and SearchLeak is precisely the type of research that validates that concern.
What to Do
No action is required to remediate CVE-2026-42824 — Microsoft mitigated it server-side. The broader response is architectural. Review what data Copilot for Microsoft 365 is permitted to access in your tenancy and whether access scopes are tighter than the default. Assess whether any sensitive SharePoint libraries or mailboxes should be excluded from Copilot indexing. Train security teams on prompt injection as an attack class relevant to enterprise AI tools — it does not require malware or credential theft; it exploits the AI’s own capabilities against the organisation. Include AI assistant access scope in your next OSFI B-13 technology risk review cycle.
