There's a comforting little fiction that a link to a real Microsoft domain is a safe link. The certificate checks out, the page is genuine, you're logged into your actual tenant. SearchLeak exists to take that comfort away. Varonis Threat Labs disclosed it in June 2026 as CVE-2026-42824, and the demonstration was unnervingly tidy: one click on a legitimate Microsoft 365 Copilot search URL, and the assistant could be coaxed into reading the victim's mailbox and files and mailing the interesting bits to a stranger.

Microsoft remediated it on the server side and slapped a "critical" label on it. Nobody has reported it being used in the wild, so this belongs in the Graveyard as a documented hazard rather than a confirmed breach. It earns its plot anyway, because it names a fresh class of prompt injection that every enterprise AI team should now assume exists in their own products.

The new trick: parameter-to-prompt injection

Microsoft 365 Copilot Enterprise Search accepts a URL with a q parameter, the same boring pattern every search box on the internet uses to carry your query. Something like https://m365.cloud.microsoft/search/?q=.... You'd reasonably expect whatever sits in q to be treated as a search term: text to look up, nothing more.

Varonis found that Copilot didn't just search the contents of q. It interpreted them. Whatever you stuffed into that parameter was handed to Copilot's AI engine as instructions it would follow, not merely a string it would match. Researchers named this "parameter-to-prompt" injection, or P2P, and it's a meaningful twist on the prompt-injection stories already in this Graveyard. EchoLeak hid instructions in an email. Reprompt abused a chat URL on consumer Copilot. SearchLeak weaponized the search query parameter of an enterprise assistant, which means the attacker's payload arrives inside a normal-looking, fully trusted Microsoft link.

Here's the conceptual problem in one sentence: the moment a URL parameter can become a prompt, "is this domain trusted?" stops being a sufficient question. The domain can be impeccable while the embedded task is hostile. Your anti-phishing tooling, trained to sniff out dodgy domains and freshly registered lookalikes, waves a microsoft.com link straight through. The malicious instruction was never in the domain. It was in the query string.

One link, three bugs, stacked

The genuinely instructive thing about SearchLeak is that the AI flaw alone wasn't enough. Varonis chained three weaknesses, each one converting the previous step's output into something more dangerous.

• Stage one - parameter-to-prompt injection. The crafted q parameter told Copilot to do something like: search the user's email for a specific item, extract its contents, and embed that text into an image URL. The victim typed nothing. They clicked, and Copilot, eager to help, went looking through their data.
• Stage two - an HTML rendering race condition. Microsoft's defense against AI-generated HTML was to wrap model output as inert text. The catch was timing. During the streaming phase, raw HTML could briefly land in the page's DOM before the sanitizer finished neutralizing it. If an image tag flashed into existence during that window, the browser would dutifully fire off the request to load it before the output was made safe. A text-generation event quietly became a network request.
• Stage three - a Bing SSRF that bypassed the content security policy. A content security policy is the page's allowlist of where it's permitted to fetch resources from. A direct image load to attacker.example should fail. But the policy allowed Bing, because of course it trusts Bing, and Bing's "search by image" endpoint accepts an image URL and fetches it server-side. So the browser called Bing (allowed), and Bing's backend reached out to the attacker's URL (carrying the stolen data in the path). That's a server-side request forgery, or SSRF: a trusted service tricked into making a request on the attacker's behalf. The CSP never had a chance, because from its perspective the page only ever talked to Bing.

Pull any one link out of that chain and the attack falls apart. Without P2P, the attacker can't plant the data-bearing image reference. Without the rendering race, the request never fires early. Without the Bing SSRF, the CSP blocks the leak. SearchLeak is a reminder that AI security usually isn't a brand-new discipline; it's classic application-security weaknesses reassembled around a reasoning engine that can fetch your data, transform it, and emit executable-looking output.

Why the blast radius is the whole point

Copilot Enterprise is useful precisely because it sits next to your work. It runs with your identity and your Microsoft Graph permissions, so it can ground its answers in your mailbox, your calendar, your SharePoint sites, your OneDrive, your Teams chats. Microsoft is careful to point out that Copilot only touches data the user is already authorized to see, and that's true. It's also not as reassuring as it sounds.

"Everything the user can access" is, for most real employees, an enormous pile. Stale SharePoint sites with company-wide permissions. Inherited folders nobody remembers granting. Old OneDrive shares. Years of email with MFA codes, password-reset links and contract terms sitting in plain text. Copilot's job is to make all of that instantly findable. SearchLeak's job was to make Copilot find it for the wrong person's benefit. Varonis listed the kind of material at risk: email content, multifactor authentication codes, meeting details, and private SharePoint and OneDrive files. An MFA code is the spicy example, because pairing a leaked one-time code with separately phished credentials is how a "your data is fine, it's just metadata" incident turns into an account takeover.

On the severity, it's worth being precise rather than dramatic, because the numbers genuinely disagree. Microsoft, acting as the CVE numbering authority, scored CVE-2026-42824 at 6.5, while the National Vulnerability Database's enrichment puts it at 7.5. Some outlets ran with Microsoft's "critical" wording regardless. A CVSS score rates the flaw in isolation; it doesn't capture that the assistant in question can read an executive's entire mailbox. The number is medium-to-high. The context is the part that should make a CISO sit up.

"Patched" is not the same as "solved"

Because this was a hosted-service issue, Microsoft fixed it centrally and customers didn't have to patch anything locally. Good. But the researchers and the trade press converged on the same uncomfortable note: Microsoft closed the specific attack path, not the condition that produced it. Large language models still can't reliably tell the difference between instructions from a legitimate user and instructions smuggled in through content they were asked to process. Every guardrail Microsoft ships - the output sanitizer, the CSP, the classifiers - is treating a symptom. The disease is that instructions and data flow through the same channel and the model is asked to police the boundary using nothing but its own judgment.

The durable lessons live in the tenant, not in Microsoft's patch notes. Treat data governance as AI security: hunt down oversharing and "Everyone except external users" exposure before Copilot makes it queryable. Treat AI-rendered output like hostile web content: sanitize every streamed chunk before it hits the DOM, and don't let model output trigger external fetches by default. Review your CSP allowlist by behavior, not by brand, because any allowed service that fetches user-supplied URLs is an exfiltration proxy waiting to be discovered. And design AI search URLs so a link can restore state but can never silently authorize a sensitive task.

Why this one belongs in the Graveyard

SearchLeak didn't ship a wrong answer or embarrass anyone in public. It's here because it's a clean, well-documented near miss that shows prompt injection graduating from party trick to enterprise data-flow problem. The defect lives in the AI deployment itself: an assistant wired into corporate data decided that text in a URL parameter counted as a command. Once an AI system can retrieve private data, render active content, and reach external services, the gap between a clever sentence and a data breach is one well-built chain of clicks. Microsoft got to close this one before anyone weaponized it. The class of attack that made it possible is still standing.