Here are the key details about the “EchoLeak” zero-click exploit targeting Microsoft 365 Copilot as documented by Aim Security, according to the SiliconANGLE article (June 11, 2025):
What is EchoLeak?
EchoLeak is the first publicly known zero-click AI vulnerability.
It specifically affected the generative AI component (Copilot) in Microsoft 365.
Discovered by Aim Security in January 2025; Microsoft was notified and has since patched the issue.
How did the exploit work?
LLM Scope Violation: EchoLeak exploited a type of prompt injection called “LLM Scope Violation,” where a large language model is manipulated to leak information outside its intended access.
Markdown Injection: Attackers could craft an email with malicious markdown using reference-style image and link syntax. This bypassed Microsoft’s Cross-Prompt Injection Attack defenses and Copilot’s usual sanitization.
For example, the markdown could embed a link or image referencing a trusted Microsoft domain (like SharePoint or Teams) but, when processed, could leak sensitive internal data.
Automatic, Zero-Click Exfiltration:
The malicious email did not require anyone to open or click anything. Once Copilot processed the email (as part of its automated workflow), the exploit was triggered automatically.
As Copilot rendered the content, it issued outbound network requests, including sensitive data, to attacker-controlled infrastructure.
This happened invisibly—no visual cues, logs, or alerts for system administrators or users.
Impact and Proof-of-Concept
Attackers could exfiltrate internal memos, strategic documents, or personal identifiers without any user interaction.
Aim Security published a working proof-of-concept (now safe to disclose since patched).
No evidence suggests the exploit was used maliciously in the wild.
Security Community Reactions
Experts warn this has broad implications: attackers don’t need credentials or traditional phishing—they can now manipulate trusted AI interfaces directly.
Any Retrieval-Augmented Generation (RAG)-based AI that processes untrusted inputs alongside internal data could be vulnerable.
This indicates a potential architectural flaw in many current AI assistant designs.
Mitigations and Recommendations
Runtime guardrails, strict input scoping, and strong isolation between trusted/untrusted content are needed at the architectural level.
Ongoing vigilance is required as AI attack surfaces keep expanding.
Quote Highlights
“If you didn’t expect something like this to happen, you haven't been paying attention…” – Tim Erlin, Wallarm Inc.
“They can manipulate a trusted AI interface directly… not limited to Copilot.” – Ensar Seker, SOCRadar