Here are the key details about the “EchoLeak” zero-click exploit targeting Microsoft 365 Copilot as documented by Aim Security, according to the SiliconANGLE article (June 11, 2025):
Full source and more details:
SiliconANGLE: Aim Security details first known AI zero-click exploit targeting Microsoft 365 Copilot
If you’d like further technical breakdowns (like actual markdown payload examples or deep-dive impact details), let me know!
Source: SiliconANGLE Aim Security details first known AI zero-click exploit targeting Microsoft 365 Copilot - SiliconANGLE
What is EchoLeak?
- EchoLeak is the first publicly known zero-click AI vulnerability.
- It specifically affected the generative AI component (Copilot) in Microsoft 365.
- Discovered by Aim Security in January 2025; Microsoft was notified and has since patched the issue.
How did the exploit work?
- LLM Scope Violation: EchoLeak exploited a type of prompt injection called “LLM Scope Violation,” where a large language model is manipulated to leak information outside its intended access.
- Markdown Injection: Attackers could craft an email with malicious markdown using reference-style image and link syntax. This bypassed Microsoft’s Cross-Prompt Injection Attack defenses and Copilot’s usual sanitization.
- For example, the markdown could embed a link or image referencing a trusted Microsoft domain (like SharePoint or Teams) but, when processed, could leak sensitive internal data.
- Automatic, Zero-Click Exfiltration:
- The malicious email did not require anyone to open or click anything. Once Copilot processed the email (as part of its automated workflow), the exploit was triggered automatically.
- As Copilot rendered the content, it issued outbound network requests, including sensitive data, to attacker-controlled infrastructure.
- This happened invisibly—no visual cues, logs, or alerts for system administrators or users.
Impact and Proof-of-Concept
- Attackers could exfiltrate internal memos, strategic documents, or personal identifiers without any user interaction.
- Aim Security published a working proof-of-concept (now safe to disclose since patched).
- No evidence suggests the exploit was used maliciously in the wild.
Security Community Reactions
- Experts warn this has broad implications: attackers don’t need credentials or traditional phishing—they can now manipulate trusted AI interfaces directly.
- Any Retrieval-Augmented Generation (RAG)-based AI that processes untrusted inputs alongside internal data could be vulnerable.
- This indicates a potential architectural flaw in many current AI assistant designs.
Mitigations and Recommendations
- Runtime guardrails, strict input scoping, and strong isolation between trusted/untrusted content are needed at the architectural level.
- Ongoing vigilance is required as AI attack surfaces keep expanding.
Quote Highlights
- “If you didn’t expect something like this to happen, you haven't been paying attention…” – Tim Erlin, Wallarm Inc.
- “They can manipulate a trusted AI interface directly… not limited to Copilot.” – Ensar Seker, SOCRadar
Full source and more details:
SiliconANGLE: Aim Security details first known AI zero-click exploit targeting Microsoft 365 Copilot
If you’d like further technical breakdowns (like actual markdown payload examples or deep-dive impact details), let me know!
Source: SiliconANGLE Aim Security details first known AI zero-click exploit targeting Microsoft 365 Copilot - SiliconANGLE
