A recently disclosed vulnerability in Microsoft’s enterprise AI assistant, Copilot for Microsoft 365, revealed a serious zero-click exploit that could allow attackers to exfiltrate sensitive user data—without any user interaction.
Highlights
- Zero-Click Data Breach: EchoLeak allowed attackers to extract data via Copilot without the user opening or interacting with content.
- Prompt Injection via Metadata: Malicious instructions embedded in emails, Teams messages, and image tags triggered Copilot actions silently.
- Exploited Copilot’s Agentic Behavior: The AI assistant’s ability to perform tasks autonomously was hijacked to leak cloud data like OneDrive files.
- Assigned Critical CVE: Labeled CVE-2025-32711, the exploit received a CVSS score of 9.3—placing it among the most severe AI threats to date.
- Patched but Eye-Opening: Microsoft issued a server-side fix in May 2025, thanking Aim Security for responsible disclosure.
- Invisible & Scalable: Attacks leveraged trusted Microsoft domains to evade detection and scale the breach silently.
- Enterprise Exposure Risk: Default Copilot settings exposed sensitive enterprise data pipelines to manipulation without user awareness.
- Calls for Rethinking AI Guardrails: Microsoft now emphasizes DLP controls and verified input handling to prevent future prompt injection threats.
- AI Inputs = Security Risks: Emails, chats, and images must be treated as untrusted by design to prevent AI misuse.
The exploit, dubbed EchoLeak by cybersecurity firm Aim Security, highlights the growing risks tied to AI-powered productivity tools and their integration with sensitive enterprise data systems.
Prompt Injection Without Interaction
The EchoLeak exploit, which has now been patched by Microsoft, stemmed from Cross-Prompt Injection Attacks (XPIA)—a subclass of prompt injection that manipulates AI behavior by passing malicious instructions across various message formats and platforms.
In this case, attackers were able to embed malicious prompts into emails, image metadata, and Microsoft Teams messages, which Copilot interpreted automatically, even when the content wasn’t opened or interacted with by the user.
In a proof-of-concept, researchers demonstrated that sending a plain-text email could trigger Copilot to retrieve OneDrive files and forward them to a remote server—entirely in the background.
Copilot’s Agentic Behavior
The vulnerability capitalized on Copilot’s agentic capabilities—its ability to perform actions on behalf of the user, such as accessing cloud documents or generating summaries.
While this functionality is central to Copilot’s utility, it also creates a new surface for exploitation when combined with prompt ingestion from untrusted sources.
Aim Security reported that the exploit could operate in both single-turn (a single prompt) and multi-turn (ongoing dialogue) conversations, increasing the complexity of detection.
In some simulations, Copilot even prioritized leaking the most contextually relevant or sensitive information available, amplifying the impact of the breach.
Microsoft Response and Vulnerability Patch
Microsoft acknowledged the issue in a public statement, confirming that it had deployed a server-side patch in May 2025. The flaw was assigned CVE-2025-32711, with a critical CVSS score of 9.3, marking it as one of the highest-severity threats reported against a major AI assistant to date.
The company thanked Aim Security for its responsible disclosure and stated that no users were affected during the window of vulnerability. Nonetheless, the case has sparked renewed scrutiny on AI security in enterprise environments.
How EchoLeak Worked: Breakdown of Exploit Mechanics
According to Aim Security’s technical analysis, EchoLeak combined multiple vectors to bypass safeguards and extract information silently:
1. LLM Scope Violation
Copilot treated attacker-supplied prompts as trusted context and executed them as part of its workflow.
2. Cross-Prompt Injection
Instructions embedded in seemingly harmless metadata—such as image alt text or Markdown links—were parsed by Copilot when queried or displayed in natural conversation.
3. Silent Exfiltration
Data was passed through auto-fetched URLs from trusted Microsoft domains (e.g., SharePoint or Teams), making the activity invisible to both users and many security filters.
The combination of these elements made the attack both automated and scalable, representing a novel category of zero-click AI vulnerabilities.
Implications for AI Security in Enterprise Tools
The EchoLeak vulnerability underscores a broader risk: any AI system that combines retrieval-augmented generation (RAG) with access to sensitive documents could become a target for adversaries.
Enterprises using default Copilot configurations were potentially exposed prior to the patch rollout.
- AI guardrails need rethinking: Microsoft is now promoting data loss prevention (DLP) features and stricter sensitivity labels to help mitigate such risks.
- Prompt injection is no longer theoretical: The attack serves as proof that prompt-based exploits can operate silently and at scale.
- Secure AI requires secure inputs: Inputs like emails, images, and chat messages must be treated as untrusted unless explicitly verified.
AI Expansion and Security Growing Pains
The disclosure comes at a time when Microsoft is rapidly expanding Copilot’s footprint across its ecosystem, from Office applications to Teams and even gaming platforms like Xbox.
While these integrations offer improved productivity and user experience, they also increase the complexity of securing AI agents that operate autonomously.
As AI tools continue to gain autonomy and contextual intelligence, incidents like EchoLeak highlight the importance of embedding security at every layer—from model behavior to input sanitation and cloud access policies.
