• Microsoft 365 Copilot can be turned into a one-click data theft t

    From TechnologyDaily@1337:1/100 to All on Tue Jun 16 17:45:32 2026
    Microsoft 365 Copilot can be turned into a one-click data theft tool inbox, OneDrive, and SharePoint data all at risk, so patch now

    Date:
    Tue, 16 Jun 2026 16:35:00 +0000

    Description:
    Varonis found a way to chain three bugs into one exploit that can lead to
    data exfiltration.

    FULL STORY ======================================================================Copy link Facebook X Whatsapp Reddit Pinterest Flipboard Threads Email Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Subscribe to our newsletter Varonis uncovered SearchLeak, chaining three flaws in Microsoft 365 Copilot to enable oneclick data theft Attack exploited prompt injection, HTML race condition, and Bing SSRF to exfiltrate inbox, OneDrive, and SharePoint data Microsoft patched
    CVE202642824 earlier this month, rating it 10/10 critical Experts have uncovered a way to turn Microsoft 365 Copilot into a one-click data theft tool, capable of exfiltrating sensitive information from peoples inbox, OneDrive, and SharePoint instances.

    The method was recently patched by Microsoft having been developed by
    security researchers Varonis, who dubbed the method SearchLeak, explaining it works by chaining together three vulnerabilities. Separately, these three
    cant do much harm, but together, they are strong enough to warrant a patch. Latest Videos From Watch full video here: Exfiltration proxy The three flaws being chained are a parameter-to-prompt injection, an HTML rendering race condition, and a content-security-policy (CSP) bypass enabled by Bing server-side request forgery (SSRF).

    The attack starts when a victim clicks a specially crafted Microsoft 365 Copilot Enterprise Search link. The URL holds hidden instructions in the search query parameter, telling Copilot to search the victim's emails, OneDrive files, SharePoint documents, or calendar data and include the
    results inside an image URL. You may like Three high-risk AI vulnerabilities discovered in Claude.ai end-to-end attack chain exfiltrates sensitive info without user knowing The FBI warns Microsoft 365 services are being bombarded with new phishing emails here are 3 steps you can take to stay safe This worrying Microsoft BitLocker backdoor can grant full access to a locked drive
    and all you need is a USB stick

    As Copilot generates its response, a race condition causes the browser to briefly render attacker-controlled HTML before Microsoft's sanitization process completes. This allows an image tag containing the stolen data to execute.

    Finally, the image request is routed through Bings Search by Image feature, and because of the SSRF flaw, Bing can fetch the attacker-controlled URL on the victims behalf and bypass Content Security Policy protections. The sensitive data embedded in the URL is thus transmitted to the attacker's server, where they can recover it from web request logs Are you a pro? Subscribe to our newsletter Sign up to the TechRadar Pro newsletter to get
    all the top news, opinion, features and guidance your business needs to succeed! Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting
    your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

    "Bing becomes an unwitting exfiltration proxy , the researchers explained. A classic SSRF, hiding in plain sight behind a CSP allowlist entry."

    Varonis says that on the victims side, all they see is a normal Copilot
    search session, and stressed that AI has transformed simple, easily addressed vulnerabilities, such as SSRF and HTML injection race conditions, into potent vulnerabilities.

    Earlier this month, Microsoft patched the flaw, assigning it a maximum severity rating (10/10 critical), and tracking it as CVE-2026-42824.

    Via BleepingComputer The best antivirus for all budgets Our top picks, based on real-world testing and comparisons

    Read our full guide to the best antivirus 1. Best overall: Bitdefender Total Security 2. Best for families: Norton 360 with LifeLock 3. Best for mobile: McAfee Mobile Security Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/microsoft-365-copilot-can-be-turned-int o-a-one-click-data-theft-tool-inbox-onedrive-and-sharepoint-data-all-at-risk-s o-patch-now


    --- Mystic BBS v1.12 A49 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)