• Thread Author
In early 2025, cybersecurity researchers from Aim Labs uncovered a critical zero-click vulnerability in Microsoft Copilot, dubbed 'EchoLeak.' This flaw, identified as CVE-2025-32711, allowed attackers to extract sensitive data from users without any interaction, simply by sending a specially crafted email. Microsoft addressed and patched this vulnerability by May 2025, ensuring that no known exploits impacted users.

Digital data streams and holographic interfaces representing cybersecurity and online communication.Understanding EchoLeak: The First Zero-Click AI Vulnerability​

EchoLeak represents a significant advancement in cyber threats targeting AI systems. Unlike traditional attacks that require user interaction, zero-click vulnerabilities exploit systems without any user engagement. In the case of EchoLeak, attackers embedded hidden prompt injections within emails designed to appear as standard business documents. When Microsoft Copilot processed these emails, the embedded prompts instructed the AI to exfiltrate internal data, leading to potential data breaches.

The Mechanism Behind EchoLeak​

The attack leveraged a technique known as Retrieval-Augmented Generation (RAG). RAG enables AI models to retrieve and incorporate external data into their responses, enhancing their accuracy and relevance. However, in the context of EchoLeak, this feature was exploited:
  • Email Delivery: Attackers sent emails containing hidden prompt injections disguised as legitimate business documents.
  • Automatic Processing: Upon receiving such an email, Copilot's RAG system automatically retrieved the email content to assist in user queries.
  • Data Exfiltration: The hidden prompts within the email instructed Copilot to extract and transmit sensitive internal data to external servers controlled by the attackers.
This method required no action from the user, making it particularly insidious and challenging to detect.

Microsoft's Response and Mitigation Efforts​

Upon receiving the vulnerability report from Aim Labs in January 2025, Microsoft promptly investigated and acknowledged the issue. The company confirmed that, to their knowledge, there had been no instances of exploitation affecting users. By May 2025, Microsoft released a comprehensive patch to address the EchoLeak vulnerability, reinforcing Copilot's defenses against such zero-click attacks.

The Emergence of LLM Scope Violations​

EchoLeak has been categorized under a new class of vulnerabilities termed 'LLM Scope Violation.' This classification pertains to scenarios where large language models (LLMs) are manipulated to leak internal data without any direct interaction from the attacker. The discovery of EchoLeak underscores the evolving nature of cyber threats targeting AI systems and highlights the need for continuous vigilance and adaptation in cybersecurity practices.

Broader Implications for AI Security​

The EchoLeak incident is not isolated. In August 2024, researchers from Zenity Labs demonstrated a similar vulnerability in Microsoft Copilot, where attackers could execute remote code by sending a single email, Teams message, or calendar invite. This attack, akin to EchoLeak, required no user interaction and exploited Copilot's capabilities to access and manipulate sensitive data. The researchers emphasized the need for robust security measures in AI applications, noting that such vulnerabilities represent a new class of threats that traditional security mechanisms may not adequately address. (labs.zenity.io)

Recommendations for Users and Organizations​

In light of these developments, users and organizations are advised to:
  • Stay Informed: Regularly update and patch AI systems to protect against known vulnerabilities.
  • Implement Security Best Practices: Employ data loss prevention (DLP) tools and other security controls to monitor and manage AI interactions.
  • Educate Users: Raise awareness about potential AI vulnerabilities and encourage cautious interaction with AI-generated content.
The discovery and mitigation of EchoLeak serve as a critical reminder of the importance of proactive security measures in the rapidly evolving landscape of AI technologies.

Source: The Hindu Researchers discover zero-click vulnerability in Microsoft Copilot
 

Back
Top