// Alert

Microsoft 365 threat report

Varonis disclosed SearchLeak (CVE-2026-42824), a three-stage vulnerability chain in Microsoft 365 Copilot Enterprise combining parameter-to-prompt injection, HTML rendering race conditions, and CSP bypass via Bing SSRF. The flaw enables one-click exfiltration of emails, MFA codes, calendar items, SharePoint and OneDrive files. Microsoft assigned critical severity and patched the issue.

// Get alerts for Microsoft 365