Summary
- Varonis disclosed SearchLeak, a Microsoft 365 Copilot vulnerability chain involving enterprise data exposure.
- The researcher says Microsoft remediated the issue and assigned CVE-2026-42824.
- The case shows how enterprise AI assistants can become aggregation points for email, files, calendar data, and permissions risk.
Varonis has disclosed a Microsoft 365 Copilot vulnerability chain that it says could have allowed sensitive organisational data to be extracted after a user clicked a crafted Microsoft link.
The research, called SearchLeak, centred on Microsoft 365 Copilot Enterprise and the way AI-assisted search can interact with indexed corporate data. Varonis said the chain could expose emails, files, calendar entries, Teams messages, and other information available through Microsoft 365, depending on a user’s permissions and indexed content.
Varonis said Microsoft remediated the issue and assigned CVE-2026-42824. Microsoft’s Security Response Center page for the CVE is available, though the public page provides limited accessible detail through search. Varonis rated the issue as critical and did not report evidence of exploitation in the wild.
The SearchLeak disclosure illustrates a developing class of enterprise AI risk. The exposure does not come from a model producing an inaccurate answer or revealing a prompt directly. It comes from an AI assistant sitting above large volumes of enterprise data, search indexes, permissions, and browser behaviours that may combine into unexpected exfiltration paths.
Microsoft 365 Copilot is designed to work across Microsoft’s productivity environment, where many organisations hold sensitive routine business information. That includes internal emails, attachments, SharePoint files, OneDrive documents, calendar records, meeting notes, and Teams messages. When a copilot can summarise and retrieve across those sources, access governance becomes central to security.
The underlying risk is not unique to Microsoft. Any enterprise AI assistant that can search, summarise, and act across corporate data inherits weaknesses in the environment around it. Over-permissioned files, stale groups, excessive sharing links, weak classification, and poor identity hygiene all become more consequential when a model can make buried information easier to find and combine.
SearchLeak also shows how familiar components can form a new attack path when AI is introduced. Web links, browser behaviour, search results, hidden instructions, and data access controls are not novel on their own. Combined with an AI assistant that processes indexed organisational data, they create a surface that conventional application security reviews may not fully cover.
Copilot deployments therefore need to sit alongside data governance work. Before broad enablement, organisations need to understand what information Copilot can access, which users have excessive permissions, where sensitive files are exposed, and whether monitoring can detect unusual AI-assisted retrieval or movement of data. Remediation after deployment is possible, but the reachable data set may already be large.
Regulated organisations also need to consider how AI assistants interact with legal, privacy, confidentiality, financial, and sector-specific obligations. If a vulnerability or misconfiguration allows data to be retrieved in unexpected ways, the issue may sit with compliance, risk, legal, and data protection teams as well as security engineering.
Microsoft’s remediation reduces the immediate technical exposure described by Varonis. The wider control challenge remains. Enterprise AI systems are being layered over collaboration platforms that were not always governed with AI-scale retrieval in mind. SearchLeak shows that access control, data minimisation, logging, and vulnerability management need to be part of AI adoption before assistants become default interfaces to corporate knowledge.





