Thanks for the reply. I have scanned all files on the server, and none reference the folder. We do have a rewrite config file that mentions the folder, but that is not stored in the web root. Also, Bing found various files *inside* the folder (which are definitely not mentioned anywhere) and even passed valid CGI parameters to them.
It is most suspicious and it really seems something is sending this information to Bing. Since only Microsoft IPs access the files, it does not seem to be a malicious user. Different Bing IPs access the files at around the same time of day.
We are not on Apache. This is a Windows box. Nothing in the headers either apart from what we'd expect to see a e.g. session cookie. Nothing in robots.txt file, site maps, etc etc (we scanned all files).
This is driving me mad since there's just no "leak" from our side of things.