Copilot Bug Let One Click Steal Your 2FA Codes

A critical vulnerability in Microsoft 365 Copilot let attackers quietly steal emails, calendar entries, SharePoint and OneDrive files, and even two-factor authentication codes from a victim's account — all from a single click on a link. Researchers at Varonis Threat Labs, who discovered the flaw and named it SearchLeak, showed that the stolen data could leave a mailbox with no user action beyond that one click. Microsoft has since fixed it server-side under the identifier CVE-2026-42824 and rated it maximum severity, so there is nothing for users to install.

The clever, and unsettling, part is how it worked. SearchLeak chained one AI-specific weakness with two classic web bugs. Copilot's Enterprise Search reads a query straight from the 'q' parameter in a URL and hands it to the model as an executable instruction — a flaw the researchers call parameter-to-prompt injection. While Copilot streamed its answer, attacker-supplied HTML, including an invisible image tag, was briefly rendered live in the page before the security filter could strip it. The browser dutifully tried to load that image from an attacker-controlled server, and the sensitive data rode along in the request. Because the malicious link pointed at a legitimate Microsoft domain, it looked entirely trustworthy.

Why a fixed bug still matters to you

Even though this specific hole is closed, it is a clean illustration of a problem the whole industry keeps tripping over: when you connect an AI assistant to your email, files and calendar, you also hand it a new way to be tricked. Traditional phishing needs you to type a password into a fake page. This needed nothing — no login form, no obvious red flag, just a click on a link that pointed at a real Microsoft address. The old advice to 'check for typos and weird domains' offers no protection when the dangerous instruction is hidden inside a normal-looking URL and executed by the AI on your behalf.

The bigger pattern

Prompt injection — feeding hidden instructions to an AI through content it reads — is turning out to be the defining security headache of the assistant era, and SearchLeak shows why patches alone won't end it. Every new connector that lets an AI see more of your data widens the blast radius if something slips through. My own take is that the right reflex is the same one good admins already use for permissions: assume any AI tool with broad read access to your accounts is also a broad liability, and limit what it can touch to what it genuinely needs.