Critical vulnerability in Microsoft 365 Copilot AI called EchoLeak enabled data exfiltration
Take action: Read how this flaw is exploited in detail. Be aware that similar attacks WILL happen across ALL AI integrated tools worldwide. So be very careful about content that looks like instructions to do something which makes little sense to you. If not needed, fully delete such content and report it to your admins so it's possibly not loaded into the AI.
Learn More
Microsoft is reporting a critical security vulnerability in its Microsoft 365 Copilot AI assistant that represents the first documented zero-click attack against an artificial intelligence agent.
This vulnerability, is called "EchoLeak" and tracked as CVE-2025-32711 (CVSS score 9.3). It allowed attackers to silently exfiltrate sensitive organizational data.
EchoLeak exploits what researchers term an "LLM Scope Violation," a new class of vulnerability where a large language model can be manipulated into accessing and leaking privileged data beyond its intended authorization scope.
An attacker sends a specially crafted email to a target user containing hidden prompt injection instructions formatted to appear as normal business correspondence. The malicious payload is designed to bypass Microsoft's Cross-Prompt Injection Attack (XPIA) classifier protections by addressing instructions to the email recipient rather than the AI model directly. When the target user later queries Microsoft 365 Copilot about topics related to the email content, the Retrieval-Augmented Generation (RAG) engine automatically retrieves and processes the malicious email as relevant context.
Once the hidden instructions reach the AI model's processing context, they trick Copilot into extracting sensitive internal data and embedding it into crafted URLs or markdown image links. The vulnerability uses Microsoft Teams' link preview functionality through the "/urlp/v1/url/content" endpoint to bypass content security policies that normally block external domains. When the AI generates responses containing these malicious links, the browser automatically requests the embedded images, transmitting the stolen data as URL parameters to the attacker's external server.
Attackers can automate the data exfiltration process without relying on user interaction such as clicking malicious links or downloading files. All attackers need to do is send multiple emails covering various relevant topics such as employee onboarding materials, human resources FAQs, or management procedures.
The vulnerability was discovered by security researchers at Aim Security (also known as Aim Labs) in January 2025 and reported responsibly to Microsoft through their Security Response Center. Microsoft implemented server-side fixes in May 2025. No customer action is required to resolve the issue. Microsoft claims that there is no evidence of real-world exploitation of this vulnerability.
