A brand new assault dubbed ‘EchoLeak’ is the primary recognized zero-click AI vulnerability that allows attackers to exfiltrate delicate information from Microsoft 365 Copilot from a person’s context with out interplay.
The assault was devised by Purpose Labs researchers in January 2025, who reported their findings to Microsoft. The tech big assigned the CVE-2025-32711 identifier to the knowledge disclosure flaw, ranking it important, and stuck it server-side in Might, so no person motion is required.
Additionally, Microsoft famous that there is no proof of any real-world exploitation, so this flaw impacted no prospects.
Microsoft 365 Copilot is an AI assistant constructed into Workplace apps like Phrase, Excel, Outlook, and Groups that makes use of OpenAI’s GPT fashions and Microsoft Graph to assist customers generate content material, analyze information, and reply questions based mostly on their group’s inside information, emails, and chats.
Although fastened and by no means maliciously exploited, EchoLeak holds significance for demonstrating a brand new class of vulnerabilities referred to as ‘LLM Scope Violation,’ which causes a big language mannequin (LLM) to leak privileged inside information with out person intent or interplay.
Because the assault requires no interplay with the sufferer, it may be automated to carry out silent information exfiltration in enterprise environments, highlighting how harmful these flaws may be when deployed in opposition to AI-integrated techniques.
How EchoLeak works
The assault begins with a malicious e-mail despatched to the goal, containing textual content unrelated to Copilot and formatted to appear to be a typical enterprise doc.
The e-mail embeds a hidden immediate injection crafted to instruct the LLM to extract and exfiltrate delicate inside information.
As a result of the immediate is phrased like a standard message to a human, it bypasses Microsoft’s XPIA (cross-prompt injection assault) classifier protections.
Later, when the person asks Copilot a associated enterprise query, the e-mail is retrieved into the LLM’s immediate context by the Retrieval-Augmented Era (RAG) engine because of its formatting and obvious relevance.
The malicious injection, now reaching the LLM, “methods” it into pulling delicate inside information and inserting it right into a crafted hyperlink or picture.
Purpose Labs discovered that some markdown picture codecs trigger the browser to request the picture, which sends the URL robotically, together with the embedded information, to the attacker’s server.
.jpg)
Overview of the assault chain
Supply: Purpose Labs
Microsoft CSP blocks most exterior domains, however Microsoft Groups and SharePoint URLs are trusted, so these may be abused to exfiltrate information with out downside.
The EchoLeak assault in motion
Supply: Purpose Labs
EchoLeak might have been fastened, however the rising complexity and deeper integration of LLM purposes into enterprise workflows are already overwhelming conventional defenses.
The identical pattern is sure to create new weaponizable flaws adversaries can stealthily exploit for high-impact assaults.
It is necessary for enterprises to strengthen their immediate injection filters, implement granular enter scoping, and apply post-processing filters on LLM output to dam responses that include exterior hyperlinks or structured information.
Furthermore, RAG engines may be configured to exclude exterior communications to keep away from retrieving malicious prompts within the first place.
Patching used to imply advanced scripts, lengthy hours, and limitless fireplace drills. Not anymore.
On this new information, Tines breaks down how trendy IT orgs are leveling up with automation. Patch quicker, cut back overhead, and give attention to strategic work — no advanced scripts required.
