A newly disclosed SearchLeak vulnerability in Microsoft 365 Copilot Enterprise exposed a critical pathway for attackers to steal sensitive organizational data through a specially crafted URL. The flaw chain, now tracked as CVE-2026-42824, was patched by Microsoft earlier this month and assigned a critical severity rating due to its potential impact.

Security researchers at Varonis discovered the issue by combining three separate weaknesses that, on their own, posed limited risk. Together, however, they enabled attackers to silently extract emails, calendar information, SharePoint documents, OneDrive files, and other indexed enterprise content accessible through Microsoft 365 Copilot Enterpr...