In recent developments, cybersecurity researchers have uncovered a critical vulnerability in Microsoft Copilot, an AI-powered assistant integrated into Office applications such as Word, Excel, Outlook, and Teams. Dubbed "EchoLeak," this flaw enables attackers to exfiltrate sensitive data from a user's environment through a simple email, without requiring any user interaction.
Understanding the EchoLeak Vulnerability
The EchoLeak attack exploits the manner in which Microsoft 365 Copilot processes information from emails and documents when responding to user queries. An attacker sends a seemingly innocuous business email embedded with hidden instructions tailored for the AI assistant. When the user later poses a related question, Copilot retrieves the earlier email, interprets the concealed instructions as relevant to the query, and inadvertently executes commands that extract internal data.
This extracted data is then embedded into a link or image within the email. Upon displaying the email, the embedded link is automatically accessed by the browser, transmitting the internal data to the attacker's server without any user awareness. Although Microsoft employs Content Security Policies (CSP) to block requests to unrecognized websites, trusted services like Microsoft Teams and SharePoint can be exploited by attackers to circumvent certain defenses.
The Emergence of LLM Scope Violations
EchoLeak introduces a new category of threats termed Large Language Model (LLM) Scope Violations. These vulnerabilities arise from flaws in how large language models handle and disclose information without explicit user directives. Aim Labs, the team that identified this vulnerability, emphasized the heightened risk in enterprise environments where AI agents are deeply integrated into internal systems.
Microsoft's Response and Mitigation Efforts
Microsoft has acknowledged the severity of the EchoLeak vulnerability, assigning it the identifier CVE-2025-32711. A server-side fix was deployed in May, with the company assuring customers that no exploits had occurred and that the issue has been resolved. Aim Labs' report underscores the challenges posed by the increasing complexity and deeper integration of LLM applications into business workflows, which are overwhelming traditional defenses.
Broader Implications and Related Vulnerabilities
The EchoLeak incident is not isolated. Similar vulnerabilities have been identified in Microsoft Copilot and related AI tools:
- Server-Side Request Forgery (SSRF) in Copilot Studio: Researchers discovered an SSRF vulnerability in Microsoft Copilot Studio, allowing attackers to access internal infrastructure, including the Instance Metadata Service (IMDS) and internal Cosmos DB instances. This flaw, tracked as CVE-2024-38206, has been mitigated by Microsoft. (tenable.com)
- ASCII Smuggling Attacks: A technique known as "ASCII Smuggling" was used to exploit Microsoft 365 Copilot by embedding malicious code within seemingly harmless text using special Unicode characters. This method allowed attackers to exfiltrate sensitive data, such as multi-factor authentication codes, to third-party servers. (scmagazine.com)
- Prompt Injection Vulnerabilities: Research has demonstrated how Copilot's susceptibility to prompt injections enables attackers to manipulate the tool to search for and exfiltrate data or socially engineer victims. Tools like LOLCopilot have been developed to alter chatbot behavior undetected, posing significant security risks. (techtarget.com)
To mitigate the risks associated with such vulnerabilities, users and organizations should:
- Regularly Update Software: Ensure that all Microsoft 365 applications are updated to incorporate the latest security patches.
- Exercise Caution with Emails and Links: Be vigilant when interacting with emails and documents, especially those from unknown or untrusted sources.
- Implement Advanced Threat Detection: Deploy security solutions that can analyze content across multiple communication channels to identify anomalies and hidden malicious patterns.
- Educate Employees: Provide training on emerging threats and best practices for interacting with AI tools like Copilot.
- Monitor AI Tool Behavior: Regularly review AI assistant interactions to detect any unusual behavior or potential security issues.
Source: NewsBytes Hackers could make Copilot leak your data—just by an email
