Critical SearchLeak Vulnerability Turns Microsoft 365 Copilot into One‑Click Data Theft Tool
What Happened — Researchers disclosed a three‑stage attack chain, dubbed SearchLeak (CVE‑2026‑42824), that lets an adversary exfiltrate mailbox, OneDrive, and SharePoint data from a Microsoft 365 Copilot Enterprise user with a single crafted URL. The chain combines a parameter‑to‑prompt injection, an HTML‑rendering race condition, and a Bing SSRF bypass, allowing the attacker to read the stolen content from their own server logs.
Why It Matters for Compliance & Audit Readiness
- The scenario maps directly to SOC 2 CC6.1 – System Operations and CC7.1 – Change Management controls that require documented evidence that data‑access mechanisms cannot be subverted by untrusted input.
- Continuous‑control monitoring must capture any anomalous Copilot‑driven search activity and prove that CSP/SSRF mitigations are enforced in production.
- Verisq’s Control Mapping capability can automatically map this vulnerability to the relevant SOC 2 controls and collect audit‑ready evidence of remediation and ongoing monitoring.
Who Is Affected – Enterprises that enable Microsoft 365 Copilot Enterprise (technology‑SaaS, cloud‑hosted productivity suites) across any industry; especially those handling regulated data (finance, health, government).
Recommended Actions
- Immediately verify that the Microsoft‑issued patch for CVE‑2026‑42824 is applied to all Copilot Enterprise tenants.
- Update CSP policies to restrict “Search by Image” requests to approved domains only.
- Enable logging of Copilot Search queries and monitor for anomalous URL patterns.
- Map the remediation steps to SOC 2 CC6.1/CC7.1 controls and capture evidence in your continuous‑compliance platform.
Source: BleepingComputer
Technical Notes
- Attack vector: Parameter‑to‑prompt injection → HTML race condition → Bing SSRF (CSP bypass).
- CVEs: CVE‑2026‑42824 (critical severity).
- Data at risk: Email content, passwords, calendar events, documents stored in OneDrive/SharePoint.
- Mitigation: Patch applied early June 2026; CSP tightening recommended.