SearchLeak Is Not a Copilot Bug. It Is How Tool-Using Agents Work.

On June 16, researchers disclosed SearchLeak, a one-click attack chain against Microsoft Copilot that exfiltrated two-factor authentication codes and email content. Microsoft had patched it days earlier, in its June 13 update, as CVE-2026-42824. The coverage treated it as another assistant vulnerability, found and fixed. That framing misses what makes SearchLeak important.

The attack did not exploit a coding mistake that a careful engineer should have caught. It chained together three behaviors that tool-using assistants are designed to have. Strip away the Copilot specifics and you are left with a general property of any AI system that reads outside input, holds access to private data, and renders results. SearchLeak is what that combination does when someone points it at you.

A patch can close a specific exploit. It cannot patch the fact that an assistant which reads the web, touches your data, and renders output is a data-exfiltration engine waiting for the right input.

The kill chain, in plain terms

According to Dark Reading, SearchLeak worked in three moves, each ordinary on its own.

The first was a parameter-to-prompt injection. The attacker placed instructions where Copilot would read them as part of a request, so the assistant treated attacker text as if it were the user's own intent. Tool-using assistants are built to fold external content into their reasoning. That is the feature. It is also the door.

The second was a rendering race condition. The assistant rendered output, including HTML, before the relevant safety checks had fully resolved. For a moment, attacker-controlled markup ran in a context it should never have reached. Assistants render rich output because users want it. The rendering path is where the injected instructions found room to act.

The third was the exfiltration route. The chain abused a server-side request forgery in Bing to move the stolen data out, laundering it through Microsoft's own content security policy so the traffic looked legitimate. The assistant's privileged position, trusted by the very systems meant to contain it, became the getaway car.

One click from the user set the whole thing in motion. No malware, no credential phishing, no obvious tell. The user asked Copilot to do something reasonable, and Copilot, doing what it was built to do, handed an attacker their two-factor codes.

Why a patch does not fix this

Microsoft closed CVE-2026-42824, and that specific chain no longer works. The class behind it remains open, because the three ingredients are not bugs. They are requirements.

An assistant that cannot read external input is not useful. An assistant with no access to your data cannot help with your data. An assistant that cannot render results is a worse interface than the search box it replaced. Every tool-using agent on the market needs all three. The attack surface is not a defect in Copilot's implementation. It is the shape of the product category.

This is why we treat agent security as a structural question rather than a patch queue. The hard problem is not finding the next SearchLeak. The hard problem is that external input, private data access, and output rendering will keep colliding in new ways, and each collision is a fresh exfiltration path. Model alignment does not help here. The model behaved as instructed. The instructions came from an attacker the model had no way to distrust. You cannot align your way out of a trust-model flaw that lives above the model.

We have made a version of this argument about money rather than data, in the identity crisis at the heart of agentic payments. The pattern is the same. An agent that acts on inputs it cannot authenticate, with permissions it cannot scope, will eventually act against its owner. SearchLeak is the data-theft expression of a problem that also shows up as fraud the moment agents move money.

What actually defends against the class

If patches cannot close the category, what does? The answer is to stop trusting the conversation and start enforcing boundaries the assistant cannot talk its way past.

The first move is scoped permission. An assistant should not hold standing access to everything it can technically reach. It should act under a narrow, explicit grant: this data, this action, this duration. When the grant is enforced in code rather than implied by the system prompt, injected instructions have nothing to escalate, because the boundary does not read the chat. This is the same shift we keep describing as moving the rules out of the prompt, the point we made in permission, not payments.

The second is tool-surface inspection. Most assistants now reach external tools and servers, and the trust placed in those tools is the soft underbelly. A tool description, a connected server, a rendering component, each is a place where attacker text can enter the trusted path. Treating that surface as untrusted by default, and scanning what an assistant can reach before it reaches it, is the difference between containing the next SearchLeak and discovering it in a disclosure report.

Neither of these is exotic. Both are unglamorous, and both are missing from most assistants shipping today. The industry built the capability first and is bolting on the governance after the incidents, which is the order that produces SearchLeaks.

What to watch

Watch the cadence of disclosures. SearchLeak will not be the last chain of its kind, because the ingredients are permanent. The useful signal is not whether another one appears. It is whether vendors respond by patching the specific exploit or by changing how their assistants handle trust. The first keeps the category in a patch treadmill. The second is the only thing that bends the curve.

Watch where the assistants have the most access. Copilot reaching email and authentication codes is the high-stakes version. The same architecture sits inside coding assistants that touch source and secrets, and inside commerce agents that touch payment methods. The blast radius scales with the access, and the access is only growing.

SearchLeak got patched, and the headline moved on. The lesson did not. An assistant that reads the world, holds your data, and renders what it finds is doing three things that are individually reasonable and collectively dangerous. Until that is governed at runtime rather than apologized for in a CVE, the next one is already being written.

If the next SearchLeak is in a tool you do not control, what stops it before the patch?

Charlie Major is a Product Development Manager at Mastercard. The views and opinions expressed in Major Matters are his own and do not represent those of Mastercard.