HomeIntelligenceBrief
VULNERABILITY BRIEF🔴 Critical Vulnerability

Critical SearchLeak Vulnerability Turns Microsoft 365 Copilot into One‑Click Data Theft Tool

A three‑stage attack chain (SearchLeak, CVE‑2026‑42824) lets attackers steal mailbox, OneDrive, and SharePoint data from Microsoft 365 Copilot Enterprise with a single URL. The flaw highlights the need for SOC 2‑aligned control mapping and continuous evidence of remediation.

LiveThreat™ Intelligence · 📅 June 15, 2026· 📰 bleepingcomputer.com
🔴
Severity
Critical
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
1 sector(s)
Actions
4 recommended
📰
Source
bleepingcomputer.com

Critical SearchLeak Vulnerability Turns Microsoft 365 Copilot into One‑Click Data Theft Tool

What Happened — Researchers disclosed a three‑stage attack chain, dubbed SearchLeak (CVE‑2026‑42824), that lets an adversary exfiltrate mailbox, OneDrive, and SharePoint data from a Microsoft 365 Copilot Enterprise user with a single crafted URL. The chain combines a parameter‑to‑prompt injection, an HTML‑rendering race condition, and a Bing SSRF bypass, allowing the attacker to read the stolen content from their own server logs.

Why It Matters for Compliance & Audit Readiness

  • The scenario maps directly to SOC 2 CC6.1 – System Operations and CC7.1 – Change Management controls that require documented evidence that data‑access mechanisms cannot be subverted by untrusted input.
  • Continuous‑control monitoring must capture any anomalous Copilot‑driven search activity and prove that CSP/SSRF mitigations are enforced in production.
  • Verisq’s Control Mapping capability can automatically map this vulnerability to the relevant SOC 2 controls and collect audit‑ready evidence of remediation and ongoing monitoring.

Who Is Affected – Enterprises that enable Microsoft 365 Copilot Enterprise (technology‑SaaS, cloud‑hosted productivity suites) across any industry; especially those handling regulated data (finance, health, government).

Recommended Actions

  • Immediately verify that the Microsoft‑issued patch for CVE‑2026‑42824 is applied to all Copilot Enterprise tenants.
  • Update CSP policies to restrict “Search by Image” requests to approved domains only.
  • Enable logging of Copilot Search queries and monitor for anomalous URL patterns.
  • Map the remediation steps to SOC 2 CC6.1/CC7.1 controls and capture evidence in your continuous‑compliance platform.

Source: BleepingComputer

Technical Notes

  • Attack vector: Parameter‑to‑prompt injection → HTML race condition → Bing SSRF (CSP bypass).
  • CVEs: CVE‑2026‑42824 (critical severity).
  • Data at risk: Email content, passwords, calendar events, documents stored in OneDrive/SharePoint.
  • Mitigation: Patch applied early June 2026; CSP tightening recommended.
📰 Original Source
https://www.bleepingcomputer.com/news/security/new-attack-turned-microsoft-365-copilot-into-1-click-data-theft-tool/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Misconfigurations are control gaps in disguise.

Verisq AI Trust Operations turns findings like this into mapped controls with continuous evidence, keeping your audit readiness current instead of point-in-time.

Map your controls with Verisq AI Trust Operations →