Microsoft Patches a Microsoft 365 Copilot Flaw Researchers Named "SearchLeak"

Microsoft has patched a Microsoft 365 Copilot Enterprise Search vulnerability that researchers named “SearchLeak” — the fix is server-side, so defender Copilot-posture review and audit-log work is the practical follow-up.

REDMOND, WASHINGTON — Microsoft has patched a critical vulnerability in Microsoft 365 Copilot Enterprise Search that researchers at the data-security firm Varonis disclosed on June 15, 2026 under the name “SearchLeak.” The flaw, which Microsoft tracks as CVE-2026-42824 and rated at maximum severity, could have allowed a crafted link to turn Copilot's enterprise search into a one-click path for reading data a user could already access — email, calendar entries, SharePoint documents, and OneDrive files. Microsoft addressed the issue on its own infrastructure at the beginning of June, and according to the disclosure there is no action for customers to take to close the hole itself.

For enterprise defenders, that server-side fix changes the shape of the work. There is no agent to upgrade and no build to chase across an estate; the patch is already live for everyone using the service. What remains is a posture question — whether an organization's Microsoft 365 Copilot deployment is configured, scoped, and logged the way the security team expects — and it sits alongside a broader wave of prompt-injection research against AI assistants that has made “what can our assistant be told to do, and by whom” a standing review item rather than a one-off.

What Was Disclosed and Patched

On June 15, 2026, researchers at Varonis published a disclosure describing a vulnerability in Microsoft 365 Copilot Enterprise Search that they named “SearchLeak.” Microsoft assigned it the identifier CVE-2026-42824 and, according to reporting on the disclosure, rated it at maximum severity. The short version is that a specially crafted link could cause Copilot's enterprise search to retrieve content the signed-in user was entitled to see — across their mailbox, calendar, SharePoint, and OneDrive — and route a representation of that content outward without the user typing anything beyond the initial click.

Crucially for defenders, the surface here is not generic, content-generating Copilot but Microsoft 365 Copilot Enterprise Search, the feature that reaches into an organization's own indexed data — emails, meetings, SharePoint files, and OneDrive documents — to answer questions grounded in company information. That distinction matters because it defines the blast radius: the issue concerned data a user already had permission to access, surfaced through the search experience, rather than a break in the underlying permission model itself.

Varonis framed the underlying lesson in defensive terms, noting that familiar, normally well-contained bug classes become far more consequential once an AI assistant can be instructed through untrusted input. That framing echoes a run of recent disclosures — from browser-and-assistant prompt-injection work to research on AI coding agents being steered by repository content — in which the AI layer turns a low-severity primitive into a usable data-disclosure path. For defenders, the takeaway is less about this single chain and more about the category it represents.

Why Copilot Posture Review Matters to Enterprise Defenders

Because the fix is server-side, the instinct to “patch and move on” is the wrong reflex here — there is nothing local to patch, and the more useful response is to treat the disclosure as a prompt to confirm posture. Microsoft 365 Copilot Enterprise Search is, by design, a tool that reads broadly across an organization's content on a user's behalf. That breadth is its value and also its risk surface: a flaw in how it interprets instructions touches the same data the assistant is meant to make convenient to reach.

A posture review starts with a simple inventory question that many organizations have not yet answered crisply: who in the tenant actually has Microsoft 365 Copilot enabled, and over what data. Copilot's reach is governed by existing Microsoft 365 permissions and labeling, which means the practical exposure of any Copilot flaw is a function of how well-scoped those permissions and sensitivity labels already are. A disclosure like SearchLeak is a good occasion to revisit whether over-permissioned SharePoint sites, broadly shared OneDrive folders, or stale access grants are quietly widening what an assistant could be induced to surface.

The second posture question is about the link-handling and content-rendering pathways that AI assistants introduce. The defensive lesson defenders can carry forward — independent of this specific chain — is that a clicked link can now be an instruction to an assistant, not merely a navigation event. That reframes user-awareness guidance and, more importantly, it makes the case for confirming that monitoring around Copilot activity exists at all, so that unusual assistant-driven access patterns would be visible if they occurred.

Microsoft's Response

Microsoft addressed SearchLeak on its own infrastructure, with reporting indicating the fix was in place by the beginning of June 2026 — ahead of the public disclosure. Because Microsoft 365 Copilot is delivered as a cloud service, the remediation propagated to all tenants without requiring administrators to deploy an update, change a configuration, or restart anything. The company assigned the issue CVE-2026-42824 with a critical rating, and the disclosure reflects a coordinated outcome in which the fix preceded the write-up.

Varonis, for its part, characterized the work as a proof-of-concept and did not report evidence that SearchLeak had been used against real tenants before the fix. That is a meaningful distinction for defenders weighing urgency: this is a closed, researcher-found weakness rather than an actively exploited zero-day. It lowers the probability that a given organization was affected, without entirely removing the value of looking — particularly for organizations that want assurance rather than assumption.

It is worth being precise about what is and is not established here. The server-side nature of the fix and the absence of reported in-the-wild use are well supported by the disclosure and the reporting around it. What no public source establishes is whether individual tenants retain logs detailed enough to retrospectively confirm whether any SearchLeak-style activity reached their data before the patch — a gap that itself becomes a defender action item below.

Defender Audit-Log Verification for Microsoft 365 Copilot Environments

With no patch to apply, the most concrete defender task is verification: confirming what visibility the organization has into Microsoft 365 Copilot activity, and using that visibility to check for anything anomalous. The honest starting point is that whether a given tenant can meaningfully reconstruct past Copilot search activity depends on its licensing, audit configuration, and retention settings — and that is precisely the thing worth checking rather than assuming.

A practical sequence is to first establish what Copilot-related auditing is enabled in the Microsoft Purview audit log, confirm the retention window covers the relevant period in late May and early June 2026, and then review for unusual patterns — for example, Copilot interactions that correlate with unexpected outbound activity, or access to sensitive repositories that does not match a user's normal behavior. Organizations that find their logging is thinner than they assumed have learned something useful regardless of SearchLeak: the same gap would blunt their response to the next assistant-layer issue.

Beyond the audit log, this is a reasonable moment to confirm the surrounding controls that bound Copilot's reach. That includes verifying which users and groups have Copilot Enterprise access, reviewing sensitivity-label coverage on high-value SharePoint and OneDrive content, and confirming that the security team would receive a signal if Copilot were driving anomalous data access. None of these steps is unique to this CVE; together they constitute the durable posture that outlasts any single disclosure and that a mature program maintains by default.

Open Questions

Several points are worth keeping in view. The core facts are well established: Microsoft has patched CVE-2026-42824 server-side, Varonis disclosed it as SearchLeak as a proof-of-concept, and the affected surface was Microsoft 365 Copilot Enterprise Search over a user's accessible data. What remains genuinely open is per-tenant: whether any individual organization retains audit data granular enough to confirm — rather than assume — that no SearchLeak-style activity reached its content in the window before the fix landed.

The broader open question is structural. SearchLeak is one of a growing set of disclosures in which an AI assistant's willingness to act on untrusted instructions converts an ordinary bug class into a data-disclosure path, a pattern seen across AI agents that can be steered through the content they process. Vendors are patching these as they surface, but the underlying tension — assistants that are useful because they reach broadly and act autonomously are, for the same reasons, exposed to instruction injection — is not resolved by any one fix.

What is confirmed is enough to act on without alarm. A critical Microsoft 365 Copilot flaw has been closed on Microsoft's side, with no customer patch required and no reported real-world use. The prudent reading is to treat the disclosure as a posture-and-visibility prompt: confirm who has Copilot enabled and over what data, verify that audit logging is on and retained, and review for anomalies where the logs allow it. That is the kind of standing review a well-run program builds in by design, and SearchLeak is a useful reason to run it now.

Sources