AI Navigate
アップデート最新記事AI大全カオスマップ
共有:
Security Vulnerability · Microsoft Copilot

One link click
leaks internal data

A chained attack called SearchLeak (CVE-2026-42824) in M365 Copilot was disclosed and patched. The chain — prompt injection → HTML race condition → SSRF — lets an attacker exfiltrate internal data with a single link click. Microsoft patched it server-side.

AI Navigate Editorial·2026.06.17·6 min read
Prompt injection HTML race condition SSRF internal request Internal data exfiltrated Triggered by a single click on a link the attacker planted
01
How the Attack Chain Works

Three stages,
completed by a single click

SearchLeak is not a simple vulnerability — it's a three-stage chain. Stage one: malicious content prepared by the attacker triggers a prompt injection in Copilot. Stage two: a race condition in the resulting HTML allows the request to be disguised as coming from a trusted domain. Stage three: SSRF (Server-Side Request Forgery) lets the attacker access internal organizational resources and exfiltrate data.

The only user action required is clicking a link. A single link in a phishing email or a malicious document is enough to complete the entire attack.

02
Fix Status and Remaining Risk

Server-side patch applied —
but the structural problem remains

This CVE is patched. But the underlying architecture — an LLM acting on behalf of users while processing untrusted external content with access to internal resources — hasn't changed.

Fixed CVE-2026-42824 Microsoft server-side patch applied Ongoing challenge LLM processing external content with internal resource access
FIG. This CVE is patched. The architecture that makes it possible — LLM agents processing external input while holding internal access — remains.

M365 Copilot's "SearchLeak" (CVE-2026-42824) disclosed: prompt injection → HTML race condition → SSRF chain exfiltrates internal data via a single link click. Microsoft patched it server-side. Expect similar chained attack patterns to appear again as Copilot adoption grows.

03
What to Check Now

Verify your tenant
has the patch

Microsoft applied the patch server-side, and most tenants are protected automatically. However, self-hosted Copilot deployments or tenants with custom configurations may differ. Check the M365 admin center to confirm patch status for your environment.

The longer-term action is architectural: minimize the scope of external content that Copilot can process, and apply least-privilege principles to the internal resources Copilot can access. Chained attack patterns like this one will continue to emerge as LLM agent capabilities expand — treat this as a signal to review your Copilot security model now rather than after the next CVE.

AI Navigate — Daily Update · 2026.06.17