MICROSOFT has released a patch for a critical vulnerability in its M365 Copilot AI platform that allowed attackers to leak two‑factor authentication codes and other sensitive data from user mailboxes, as reported by Ars Technica. The flaw, tracked as CVE‑2026-42824, was uncovered by Varonis researchers who demonstrated a proof‑of‑concept exploit named SearchLeak. By tricking a victim into clicking a specially crafted URL, an attacker could force Copilot to retrieve and exfiltrate emails, documents and authentication tokens.
The vulnerability stems from a parameter‑to‑prompt injection technique. Malicious parameters embedded in a link to Copilot bypass the model’s built‑in guardrails, causing the AI to treat the injected text as a legitimate prompt. This enables the system to query internal data stores and return the results to an attacker‑controlled server. Varonis reported the CVSS score as 6.5, rating the issue as medium severity, according to their analysis on their blog.
Attackers needed only a single click from the target; no additional user interaction or credential theft was required. Once the link was visited, the compromised Copilot session would silently forward the harvested information to an external endpoint. Microsoft confirmed that the patch blocks the injection vector, and no threat actors have been publicly linked to the campaign so far, as noted in Dark Reading.
The timing of the activity, first observed on 15 June 2026 and last seen on 16 June 2026, suggests the flaw was exploited in the wild before the fix became available. Security experts note that the incident highlights the broader risk of AI‑powered assistants that ingest corporate data, as manipulation of their input handling can lead to data leakage. The SearchLeak technique may inspire similar attacks against other large language model integrations.
Defenders should prioritise applying the latest Copilot update from Microsoft’s security advisory. Network monitoring for unexpected outbound connections to unfamiliar domains can help detect exfiltration attempts. User training programmes should reinforce caution when clicking links in unsolicited messages, even if they appear to point to trusted Microsoft services. Additionally, organisations may consider tightening prompt filtering and logging AI interactions to spot anomalous queries.
While the patch addresses the immediate issue, the underlying challenge of securing generative AI against prompt‑based abuse remains. Continuous review of input validation, runtime behavioural analysis and least‑privilege access for AI components is recommended to reduce the attack surface. Staying informed about emerging exploit techniques will help security teams adapt defences as the threat environment evolves.