What is the Microsoft Copilot SearchLeak flaw? SearchLeak, tracked as CVE-2026-42824, is a now-patched one-click vulnerability in Microsoft 365 Copilot Enterprise Search that let an attacker quietly pull emails, calendar entries, and SharePoint and OneDrive files out of a victim's tenant after a single click on a trusted microsoft.com link. Disclosed by Varonis Threat Labs in June 2026 and mitigated by Microsoft on the back end, it is a wake-up call for any commercial real estate firm that runs confidential deal data through Microsoft 365. Understanding the Copilot SearchLeak vulnerability is now part of basic AI real estate due diligence on the tools your own firm uses.
Key Takeaways
- SearchLeak (CVE-2026-42824) was a critical, now-patched one-click flaw in Microsoft 365 Copilot Enterprise Search disclosed by Varonis in June 2026.
- A single click on a legitimate microsoft.com link could exfiltrate emails, calendar entries, files, and even live multifactor codes, with no malware and no second click.
- Microsoft fixed it server-side, so no customer action was required, and Varonis reported only a proof-of-concept with no evidence of real-world exploitation.
- CRE firms are squarely exposed because rent rolls, offering memoranda, LP information, and NDAs live inside Outlook, SharePoint, and OneDrive.
- The lasting lesson is that AI assistants are now part of your attack surface and belong in your AI governance and vendor due diligence.
What SearchLeak Was and How It Worked
SearchLeak was a chained exploit that turned Microsoft 365 Copilot Enterprise Search into a silent data exfiltration channel. No single bug did the damage; Varonis combined three weaknesses into one click. The result earned Microsoft's critical severity rating, with CVSS scores of 6.5 from Microsoft and 7.5 from the National Vulnerability Database.
The chain started with a parameter-to-prompt injection: Copilot Enterprise Search accepts a search query through a URL parameter, and an attacker crafted that parameter to instruct Copilot to search the victim's mailbox and data. An HTML rendering race condition then let an attacker-controlled image tag fire before output was sanitized. Finally, a content security policy bypass used Bing's image-fetching service, which the policy allowlists, as an unwitting proxy to send the stolen data to the attacker's server. From the victim's side, Copilot simply appeared to think for a moment. Because the link pointed to a real microsoft.com domain, standard anti-phishing and URL filtering tools were unlikely to flag it. The technical write-ups from The Hacker News and BleepingComputer detail the full chain.
Why CRE Firms Are Squarely in the Blast Radius
CRE firms are directly exposed to a flaw like SearchLeak because their most sensitive information lives inside exactly the systems Copilot Enterprise Search can reach. The modern commercial real estate firm runs on Microsoft 365: deal teams negotiate in Outlook, store offering memoranda and due diligence in SharePoint, and keep models and rent rolls in OneDrive. Copilot Enterprise can access whatever the signed-in user can, so an exfiltration flaw inherits that reach.
Consider what an attacker could have pulled: a confidential rent roll with tenant details, a draft offering memorandum, limited partner contact and commitment information, NDA-bound deal documents, or wiring instructions sitting in an email thread. For a firm mid-transaction, that is material nonpublic information and a breach of investor confidentiality in one click. Picture a sponsor closing a 40 million dollar industrial portfolio: the rent roll, the lender term sheet, and the limited partner subscription details might all sit in the same mailbox that a single crafted link could have reached, and a leak of any one of them could derail the deal or trigger a disclosure obligation. This is the same data you work hard to protect inside AI virtual data rooms for CRE deals, which is precisely why a vulnerability in the assistant that sits on top of that data is a CRE problem, not just an IT problem.
What CRE Investors Should Do Now
The immediate fix is already done, since Microsoft mitigated SearchLeak server-side, but the right response for a CRE firm is to harden how it governs AI assistants generally. The specific flaw is closed; the category is not. Treat this as the prompt to put real controls around Copilot and any AI tool touching deal data.
- Confirm tenant hygiene: Verify your Microsoft 365 tenant is current and that admins monitor Copilot Search activity for unusual encoded queries or outbound requests.
- Apply least privilege: Reduce the data each user, and therefore Copilot, can reach, so a single compromise exposes less.
- Scope data loss prevention to AI: Most firms have not configured DLP to watch AI assistant activity, which is the gap SearchLeak exploited.
- Add AI tools to vendor due diligence: Ask vendors how they handle prompt injection, data access, and incident disclosure before adopting a tool.
- Write it into policy: Make AI assistant security part of your written AI governance, not an afterthought.
This belongs inside your broader risk framework, which we cover in our guide on AI risk assessment for commercial real estate investments. Firms that want help building an AI governance and security policy that covers tools like Copilot can reach out to The AI Consulting Network.
The Bigger Pattern: AI Assistants Are Part of Your Attack Surface
The real lesson of SearchLeak is that AI assistants are now part of your attack surface and need to be governed as such. Varonis noted that SearchLeak follows the same pattern as its earlier Reprompt attack on Copilot Personal and the 2025 EchoLeak zero-click flaw (CVE-2025-32711). The new ingredient in all of them is prompt injection, which revives old web attack classes like server-side request forgery and sanitizer races by making them reachable through an AI.
For CRE leaders, the takeaway is not to abandon AI; the productivity case is too strong, and adoption across the industry keeps climbing. The takeaway is that the same diligence you apply to a tenant, a lender, or a counterparty now applies to the AI tools embedded in your operations. Ask how they fail, who discloses problems, and what data they can touch. CRE investors who want hands-on help evaluating and governing their AI stack can connect with Avi Hacker, J.D. at The AI Consulting Network, which specializes in exactly this.
Frequently Asked Questions
Q: Do I need to do anything to fix the Microsoft Copilot SearchLeak flaw?
A: No direct action is required. Microsoft mitigated SearchLeak (CVE-2026-42824) server-side, so all Copilot-enabled tenants were protected without a client-side patch. The right follow-up is to review how your firm governs and monitors AI assistant access to sensitive data.
Q: Was any commercial real estate data actually stolen through SearchLeak?
A: There is no evidence of real-world exploitation. Varonis disclosed a proof-of-concept after Microsoft had patched the flaw, and reported no observed attacks in the wild. The risk was the potential exposure of email, calendar, SharePoint, and OneDrive data had it been exploited.
Q: Should CRE firms stop using Microsoft 365 Copilot?
A: No. The flaw is patched, and the productivity benefits remain significant. The prudent response is to apply least-privilege access, scope data loss prevention to AI activity, and add AI tools to your vendor due diligence, rather than abandoning the tool.
Q: What does SearchLeak teach about AI governance for real estate?
A: It shows that AI assistants are part of your attack surface. Any tool that can read your emails, files, and deal documents needs the same diligence you apply to other counterparties, including questions about prompt injection defenses, data access scope, and incident disclosure.