One link was all it took for your Copilot to work for someone else

Picture the scene. A link lands in Teams. The address starts with microsoft.com, so your anti-phishing filter waves it through without blinking. You click. Microsoft 365 Copilot opens, flickers for a second as if it is mulling something over. You go back to work.
In that same moment Copilot searched your mail, calendar, SharePoint, and OneDrive, pulled the subject line of the email carrying your MFA code, and sent it to a server run by someone you will never meet. One click. No plugins, no extra permissions, no second click.
This is not a talk-track about the threats of tomorrow. It is SearchLeak, a real vulnerability chain that researchers at Varonis Threat Labs found in Microsoft 365 Copilot Enterprise. Microsoft has already patched it (CVE-2026-42824). NIST scored it 7.5 on CVSS, which is high. Microsoft rates it lower, at 6.5. Neither number lands in critical territory, but the story is too good to skip, because it shows exactly where the real problem with AI at work lies.
Three links in the chain, and two of them remember the last decade
Here is the interesting part. Most people hear “an AI vulnerability” and picture some new, magic attack. SearchLeak is mostly old bugs, known for years, that AI has only now brought back to life.
The chain has three links:
- Parameter-to-Prompt Injection (P2P). Copilot Enterprise Search reads the q parameter out of the URL. It was meant to be plain search text. But Copilot treats what is in there not as a phrase to look up but as a command to run. So whatever you write in the link, Copilot simply does.
- A race condition in HTML rendering. Microsoft knows the AI response can contain dangerous code, so it wraps the response in a
<code>block so the browser reads it as text. The catch is that this wrapper arrives after Copilot finishes “thinking.” While the response is still streaming, the<img>tag has time to render and fire off an HTTP request before the sanitizer even wakes up. - SSRF through Bing. The page’s Content Security Policy (CSP) will not load images from attacker.com. But *.bing.com is on the allow list, because it is Microsoft after all. And Bing has a “search by image” feature that fetches a given URL server-side. So you just tell the browser to ask Bing, and Bing politely walks over to the attacker’s server, carrying the stolen data tucked into the address along the way.
SSRF is more than a decade old. Race conditions in sanitizers are a classic, covered in hundreds of talks. Each of these links can be fixed on its own. Only glued together, and glued precisely by that piece of AI, do they let someone quietly walk off with email, security codes, and company files.
Where the joke is, and where the nuance is
The least funny moment in the whole story: Microsoft built a defense. It really did. It wraps the response in <code> so the code will not run. Except the browser does not wait for the final version, it renders as it goes. So the image flies out, the data is already with the attacker, and a second later the nice, careful protective wrapper shows up. Around an image that is no longer there. The defense worked perfectly. Just on an empty spot...
And here the nuance starts, because it is easy to turn this into cheap AI panic. Copilot can be excellent. It cuts hours of digging through email down to a single sentence. It genuinely speeds up the work. At the same time, that same Copilot runs with the user’s full permissions and sees exactly what you see: your inbox, your calendar, your documents, the acquisition plans, the payroll sheet. So where is the line between a tool that saves you time and a tool that saves the attacker time too?
It comes down to one sentence worth taping above your desk: AI does not create new data, only new routes to the data you already have. The blast radius is not the model’s creativity. It is your permissions in Microsoft 365, which someone took over with a single link.
What to actually do about it
Because a list of threats with no remedy is not analysis, it is scaremongering for its own sake. Microsoft patched this specific hole, but the attack logic stays, and the next chains of this kind are only just being built. The practical minimum:
If you are responsible for security:
- Watch for suspicious URLs that point at Copilot. Long, encoded q parameters with HTML tags inside, or instructions along the lines of “put this into an image address,” are a red flag.
- Review the allow lists in your CSP. Every permitted domain that fetches user-supplied addresses on its own server is a ready-made leak channel. Bing was only one of many options.
- Treat a streamed AI response as untrusted. Sanitizing has to happen at render time, not as cleanup after the fact. The race condition lives in exactly that gap.
If you just use Copilot:
- Glance at the link before you click. Especially if it points to Microsoft 365 services and drags a mile of encoded characters behind it.
- Report odd behavior. If Copilot starts searching your mail on its own, when you never asked it to, that is not a feature. It is a symptom.
And if you want to know where in your organization AI was handed wider access than anyone knowingly approved, that is exactly what tests and permission reviews are for. Better to hear it from someone on your side, calmly, in a report, than from a data breach notice.
The takeaway is obvious, and that is exactly why it holds: we plug AI into everything faster than anyone can check what it really sees and who it can show it to. New technology, the same old door left open. Before you connect the next assistant on full permissions, check what it actually gets access to.
Book a free consultation and we will plan the tests and permission review that show where AI in your organization sees more than anyone knowingly approved.