EchoLeak: The Critical AI Security Flaw Reshaping Enterprise Data Protection

Microsoft 365 Copilot, Microsoft’s generative AI assistant that has garnered headlines for revolutionizing enterprise productivity, recently faced its most sobering security reckoning yet with the disclosure of “EchoLeak”—a vulnerability so novel, insidious, and systemic that it redefines what it means to secure AI in the workplace. This critical flaw, cataloged as CVE-2025-32711 and patched by Microsoft in May 2025, was not just a technical glitch: it was an AI-enabled data breach “on demand,” executed without the victim’s awareness or interaction, and facilitated entirely by the intelligence and autonomy that made Copilot so compelling in the first place.

The Anatomy of EchoLeak: When AI Turns the Keys on Its Own Data​

At the heart of the EchoLeak vulnerability is a technique security researchers from Aim Security call an “LLM Scope Violation.” The attack exploits the core value proposition of tools like Microsoft 365 Copilot: broad and dynamic access to enterprise data. Copilot is designed to answer user queries by fetching information from emails, OneDrive files, SharePoint, Teams messages, and more. But with EchoLeak, this power was repurposed by attackers.

How the Exploit Worked​

• Entry Vector: The attacker sends a benign-looking email to any address within the target organization. This email is crafted to resemble standard business communication and contains hidden instructions, phrased in business-like natural language rather than anything overtly technical or suspicious.
• Classifier Evasion: Microsoft deploys XPIA classifiers, AI-based filters designed to recognize and block prompt injection attempts. However, EchoLeak sidestepped these by embedding instructions as “helpful” or “informative” statements to the user, not the AI, thereby evading detection.
• Markdown Magic: The exploit weaponized obscure details of Markdown formatting—specifically, reference-style links and images. By encoding data in these elements and leveraging the way Copilot processes and summarizes information, attackers could create links that survived Microsoft’s link-redaction and sanitization routines.
• Zero-Click Exfiltration: Critically, the exploit did not require the user to click anything. Merely having Copilot process a related query caused the AI to combine the attacker’s email (now part of the user’s data context) with relevant internal information. Copilot would then, following malicious hidden instructions, extract sensitive internal data and embed it inside an image or link targeted at an external server.
• CSP Bypass: To further elude browser-based security, attackers leveraged Microsoft services trusted by corporate firewalls, such as SharePoint and Teams, to proxy exfiltration attempts—effectively laundering sensitive information through legitimate Microsoft infrastructure.

This was a “zero-click” attack in that victims did not need to open the email or interact with Copilot in any specific way. If their AI assistant, in its routine scanning and response generation, referenced the maliciously seeded email as context for a user query, the exploit triggered and data flowed out quietly.

The Innovation: RAG Spraying and Scope Violation​

A key weaponization approach described by Aim Security is “RAG spraying.” This involves seeding the malicious email with a variety of business topics and formats, increasing the likelihood that any future query (regardless of how innocuous) would cause Copilot’s Retrieval-Augmented Generation (RAG) engine to call on the malicious email for context. This increases the attack’s odds “by volume or by chunk,” as attackers can bombard the target’s mailbox with many short, varied emails or one excessively long one that the AI auto-chunks during context ingestion.
The core innovation—and danger—of EchoLeak is that prompt manipulation happens indirectly and at scale. The attacker does not need to steal credentials, exploit classic software bugs, or hope for user error. Instead, they rely on the AI’s broad, automated ingestion of untrusted external and internal data—a silent, credential-less exfiltration risk hiding in plain sight.

Real-World Blast Radius: When “Least Privilege” Is Only a Myth​

Because Copilot operates with the user’s permissions, EchoLeak did not need to breach organizational boundaries in the classic sense. Instead, it used the user’s own access rights to pull privileged information into the context—a summary, file content, API key, or sensitive internal link—and then exfiltrate it. This capability challenges the very premise of “least privilege” and “role-based access controls,” as human actors are typically trusted to distinguish between internal and external sources, but generative AI unwittingly merges the two.
Organizations affected by EchoLeak included any using Microsoft 365 Copilot with its default settings—essentially, most enterprise customers who had moved rapidly to adopt AI across their digital workspaces for productivity gains.

Discovery, Disclosure, and Microsoft’s Response​

Aim Security uncovered the vulnerability in January 2025 and responsibly disclosed it to Microsoft. The company at first deemed the issue low-severity, but after Aim Security demonstrated how the flaw could compromise even the most privileged data stores silently, Microsoft reprioritized the issue and assigned it critical (CVSS 9.3/10) status.

• Patch Deployment: Microsoft issued a silent, server-side fix in May 2025, later publicly acknowledging the issue under the identifier CVE-2025-32711.
• Scope of Impact: Microsoft stated that no customers were impacted and the vulnerability was not exploited in the wild prior to remediation. Users did not need to take any direct action, as mitigation was carried out centrally.
• Transparency: Microsoft published guidance and thanked researchers for their responsible disclosure process. It also highlighted new controls and monitoring enhancements as part of its ongoing AI security push.

A New Era of Threats: LLM Scope Violations and Beyond​

Why EchoLeak Is a Watershed Moment​

EchoLeak is not “just another” bug in an expanding threat landscape—it highlights a dangerous new paradigm in enterprise security: the LLM Scope Violation. This differs from classic prompt injection, which requires user input or active manipulation. Instead, it exploits the very design principles that fuel powerful AI assistants in the modern workplace:

• Dynamic External/Internal Context Blending: RAG-based AIs like Copilot ingest data from trusted and untrusted sources into one context window.
• Semantic Ambiguity: Clever attacks exploit the ambiguity of human language, camouflaging malicious intent inside what looks like onboarding documents, HR guides, or generic business processes.
• Invisible Automation: The AI itself performs the “clicking”; the user remains out of the loop, so attack detection becomes exponentially harder.

The Broader Security Context​

The EchoLeak incident is the first reported case of a truly “zero-click” LLM exploit chain, but it likely won’t be the last. Similar vulnerabilities are being actively researched by adversaries, with areas like “tool poisoning” (where adversaries manipulate every aspect of multi-tool AI schemas), ASCII smuggling, and classic command injection now forming a complex web of new threat vectors.
Other recent research has demonstrated how RAG-based enterprise AIs can be induced to reveal sensitive data via hidden Unicode or ASCII characters, or by abusing the natural language of internal workflows. Companies including Microsoft, Google, and OpenAI are now recognized as prime targets as the attack surface expands well beyond operating systems or classic SaaS boundaries.

The Business and Security Trade-Offs of Autonomous AI​

Microsoft’s rapid Copilot expansion—announcing its “Wave 2 Spring” suite, introducing Copilot Vision, and moving Copilot from enterprise to consumer tiers—was already a calculated strategic gamble. The race to infuse every productivity touchpoint with AI creates both competitive advantage and a wider, less-understood attack surface.
Strengths Noted in Microsoft’s Response:

• Rapid, Coordinated Response: Microsoft’s security team moved quickly to patch, assign a CVE, and communicate details, winning praise in the industry.
• Layered Defenses (Albeit Imperfect): Efforts to enhance XPIA classifiers, refine markdown/link-handling routines, and upgrade CSP procedures demonstrate a willingness to learn and adapt.
• Collaboration and Transparency: The open dialogue with security researchers signals Microsoft’s understanding that future zero-days could surface at any time and must be met quickly.

Systemic Risks and Weaknesses Exposed:

• AI Data Boundaries Are Fragile: Copilot’s wide context windows, while useful, are inherently dangerous. Traditional security controls—permissions, filtering, even rigorous role definitions—become porous when an AI agent acts on behalf of a user across multiple data lakes.
• Prompt Injection Evasion at Scale: Unlike classic IT exploits, LLM-based prompt attacks are as easy to couch in innocuous business speak as in code, making rule-based detection nearly impossible.
• Toolchain and Markdown Insecurity: The exploitability of standard formats like Markdown points to a need for both new AI-aware filtering tools and a reset in how organizations treat data ingestion and rendering by AI systems.

Mitigation: What Enterprises Must Do Now​

The lessons from EchoLeak are immediately actionable:

• Minimum Necessary Permissions: Review AI tool privileges and data access pipelines. The principle of least privilege—while never perfect—must be rigorously applied.
• Regular Security Audits: Ensure ongoing penetration testing, including prompt-injection and context-leakage attack scenarios, not just classic exploits.
• AI and User Awareness Training: Employees should understand the risks of interacting with AI, including the potential for benign content to be subtly weaponized by adversaries.
• Collaborative Research Engagement: Partner with threat intelligence communities and stay abreast of the latest AI security developments, as adversaries are moving rapidly and collaboratively themselves.

Industry-wide Implications and the Way Forward​

While Microsoft patched EchoLeak and no exploitation has been verified in the wild, the problem is more fundamental and stretches beyond Microsoft 365 Copilot. The same architecture that empowers AI assistants in Google Workspace, Slack, Salesforce, or custom enterprise bots could be leveraged similarly if not scrutinized deeply and continuously.
AI security is rapidly becoming its own specialty, distinct from general cloud or SaaS risk management. The era of “zero-click” LLM exploits is upon us, and the models themselves—their context-memory, logic for blending untrusted and internal data, and even their output summarization—must be treated as critical risk surfaces.
Microsoft’s swift patching and responsible disclosure response set a positive precedent. Still, the EchoLeak episode stands as a stark warning: as organizations accelerate their irreversible shift towards autonomous and agentic AI, vigilance, architectural skepticism, and a new wave of “LLM-aware” mitigations must become core to every enterprise security practice.
Organizations aiming for productivity breakthroughs via AI must invest equally in security innovation—or risk awakening to find their greatest new asset has also become their most efficient adversary. EchoLeak may be closed, but the age of AI exploitation has only just begun.

---

Source: WinBuzzer Microsoft 365 Copilot: Critical 'EchoLeak' Flaw Turned Microsoft's Own AI Into Data Thief - WinBuzzer