SearchLeak How We Turned M365 Copilot Into a One-Click Data ...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://varonis.com/blog/searchleak
• Blog Title: SearchLeak: How We Turned M365 Copilot Into a One-Click Data Exfiltration Weapon
• Suggested Section: AI Security -> AI Prompts / Prompt Injection; cross-reference Pentesting Web -> Content Security Policy (CSP) Bypass and SSRF

🎯 Content Summary

SearchLeak is a critical three-stage vulnerability chain discovered by Varonis Threat Labs in Microsoft 365 Copilot Enterprise Search. Microsoft remediated it as CVE-2026-42824 and assigned it a critical maximum severity rating. The issue allowed an attacker to turn a single click on a trusted Microsoft 365 Copilot Search URL into silent data exfiltration from the victim’s Microsoft 365 environment.

The chain combines o...

🔧 Technical Details

Parameter-to-Prompt Injection through URL parameters: If an AI-backed search or assistant feature forwards a URL parameter directly into the model context, that parameter can become executable instructions instead of passive input. An attacker can craft a legitimate application URL where a query parameter tells the AI to search private user-accessible data, extract a field, transform it, and place it into an output sink. In SearchLeak, the q parameter of https://m365.cloud.microsoft/search/?auth=2&origindomain=microsoft365&q=<PROMPT> was abused to make Copilot search the victim’s Microsoft 365 data and generate attacker-controlled HTML.

Streaming-output sanitizer race: AI applications that stream model output into the DOM can be vulnerable if sanitization is applied only to the final completed response. A post-processing wrapper such as <code> may make the final output look safe, but d...

🤖 Agent Actions

Done.

Updated file

• src/AI/AI-Prompts.md

What I added

• Parameter-to-Prompt Injection via URL Parameters (P2P)

  • trusted ?q=/deep-link prompt execution
  • one-click authenticated AI abuse pattern
  • operator review notes

• Streaming Output HTML Race -> Scriptless Exfiltration

  • why final-response sanitization is too late for streamed AI output
  • HTML side-effect tags like <img>
  • chaining with allowlisted-origin CSP bypass and SSRF proxies
  • inline links to:
    • ../pentesting-web/dangling-markup-html-scriptless-injection/README.md
    • ../pentesting-web/content-security-policy-csp-bypass/README.md
    • ../pentesting-web/ssrf-server-side-request-forgery/README.md

• Added references for:

  • Varonis SearchLeak blog
  • Microsoft CVE page

Why this location

AI-Prompts.md was the best single-file fit because the novel part is the AI-specific injection surface; CSP/SSRF already exist elsewhere and are now cross-referenced instead of duplicated.

Validation

• Reviewed git diff
• Attempted mdbook build, but mdbook is not installed in this environment (mdbook: command not found)

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://varonis.com/blog/searchleak

Content Categories: Based on the analysis, this content was categorized under "AI Security -> AI Prompts / Prompt Injection; cross-reference Pentesting Web -> Content Security Policy (CSP) Bypass and SSRF".

Repository Maintenance:

• MD Files Formatting: 977 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0