This is SearchLeak, June 16 -- one that pointed to a real Microsoft domain, the kind of address every corporate security filter learns to trust. Within seconds, Microsoft 365 Copilot had quietly scanned their mailbox, extracted email subjects and one-time authentication codes, and routed that data out through Bing's own servers. From the victim's screen, Copilot appeared to simply be thinking.

and the pattern is becoming hard to dismiss as coincidence.

Microsoft assigned the flaw CVE-2026-42824 and rated it critical. The National Vulnerability Database assigned a CVSS severity score of 7.5; Microsoft's own scoring came in at 6.5. That gap - two authoritative bodies looking at the same vulnerability and reaching different conclusions - c...