Echoleak: The Zero-Click AI Attack Threatening Enterprise Security in 2025

A sophisticated new threat named “Echoleak” has been uncovered by cybersecurity researchers, triggering alarm across industries and raising probing questions about the security of widespread AI assistants, including Microsoft 365 Copilot and other MCP-compatible solutions. This attack, notable for its “zero-click” vector, turns innocuous-looking emails into secret conduits for extracting highly sensitive enterprise information—without the recipient needing to open or interact with the message in any way. As organizations increasingly rely on generative AI to supercharge productivity, streamline workflow, and condense data silos, Echoleak dramatizes the hidden risks lurking in the shadow of rapid digital transformation.

The Evolution of Zero-Click Attacks​

Zero-click vulnerabilities have been a persistent nightmare in cybersecurity, traditionally focused on mobile platforms like iOS and Android—where attackers could compromise devices through specially crafted messages, calls, or network packets. Echoleak is the first known attack vector to manipulate widely used generative AI by exploiting its own trusted data pipelines, bringing zero-click exploitation into the world of business-oriented AI assistants. The discovery by Aim Security underscores a chilling escalation: even the act of “receiving” an email, not opening or clicking it, can be enough to trigger a full data breach when AI-based automation is abused.

Anatomy of the Echoleak Attack​

At the heart of Echoleak lies a clever manipulation of how AI assistants such as Microsoft 365 Copilot process communications. Microsoft 365 Copilot leverages Retrieval-Augmented Generation (RAG) to enrich responses with context from company files, emails, Teams chats, and OneDrive documents. Although Copilot employs layered security protocols—including robust access controls and prompt filtration—the system is not immune to attacks that exploit overlooked nuances in how it parses and acts on input.

Exploiting the AI’s Trust Boundary​

Aim Security’s research, which reportedly spanned three months, found that adversaries could smuggle malicious instructions—crafted as “prompt injections”—inside emails. These prompts are cleverly designed to bypass Microsoft’s XPIA classifier, a guardrail intended to block suspicious or malicious instructions, and coax the AI into searching for and exfiltrating confidential information.
But Echoleak goes further. Once the AI is manipulated into retrieving sensitive data, there remains a challenge: how does the attacker get that information? Unlike some prior breaches, the target’s internal systems alone are insufficient, since Copilot restricts response visibility to authorized organizational members. Aim Security devised a multi-step strategy: first, tricking the AI into assembling a message or response that includes a link leading to a domain controlled by the attacker.
Yet, asking a human user to click the link would still require user engagement, disqualifying it as truly zero-click. The breakthrough came by identifying routine automation in AI image generation. When the AI is told to include an image with a URL in its response, its underlying systems may attempt to automatically retrieve that image, triggering an outbound connection to the attacker’s server—all without any human interaction. The combined effect is devastating: a zero-click pathway where just receiving a single poisoned email can compromise potentially vast troves of corporate secrets.

Timeline and Microsoft’s Response​

Aim Security reported Echoleak to Microsoft in January 2025. Microsoft implemented a patch in April, but fresh issues cropped up in May, and it ultimately took five full months for a comprehensive fix to roll out to all Microsoft 365 Copilot users. Aim Security CTO Adir Glass has theorized that the delay stemmed from the fundamentally novel nature of the vulnerability: education, internal workflow changes, and deeper architectural reassessments were necessary before a robust solution could be implemented.
Microsoft has since declared that Echoleak threats are remediated within Copilot, but experts agree that the risk persists for other MCP-compatible platforms and any AI-powered system that processes mixed-trust input from external sources.

Critical Analysis: Strengths, Weaknesses, and Open Risks​

Strengths of Modern AI Security Approaches​

• Role-Based Access Control (RBAC): Microsoft’s Copilot, like most enterprise AI systems, defaults to sharing data strictly among authorized members, so sensitive material can’t be accessed externally—at least in theory.
• Prompt Filtration: The XPIA classifier and similar AI safeguards are designed to recognize and block suspicious prompts before they can instigate dangerous actions.
• Ongoing Patch Management: Microsoft’s relatively rapid response (compared to average vulnerability patch timelines) testifies to its agile, dedicated security teams, especially given the attack’s complexity and novelty.

Weaknesses and Design Flaws​

Despite multiple security layers, Echoleak reveals critical gaps:

• Trusting Internal Inputs: AI agents historically lack the ability to distinguish between “trusted” and “untrusted” data, especially when it originates from inside an organization. Because AI reads all inbox emails—including those from unknown or external senders—malicious instructions can be disguised within otherwise routine communications.
• Lack of Contextual Judgment: Unlike human users, AI processes input consistently without discerning intent, increasing susceptibility to nuanced prompt injections.
• Automated Outbound Actions: Processes like auto-fetching images or web resources create unintended “leakage” channels, bridging internal protected data to external threats.
• Classifier Evasion: The technique to bypass the XPIA classifier demonstrates that no ML-driven filter is infallible—determined adversaries with knowledge of the system can develop advanced obfuscation strategies.

Broader Implications for AI-Powered Workflows​

Glass’s provocative analogy—comparing current-gen AI agents to “humans who execute everything they read”—captures the existential challenge facing the industry. As AI agents become more deeply enmeshed in data handling, the traditional boundary between trusted and untrusted content is breaking down. Every email, chat, or document becomes a possible attack surface.
Notably, Salesforce’s Agentforce and other major platforms using similar AI architectures may also be vulnerable, according to Aim Security. While specifics about other vendors’ exposures remain speculative without formal advisories, the underlying vulnerability—a lack of clear distinction between user-generated, externally sourced, and system-trusted data—places entire categories of enterprise automation at elevated risk.

The Technical Underpinnings: How Prompt Injection Works in Echoleak​

Prompt injection, once considered a fringe curiosity in the AI research community, is now a critical real-world concern. In the Echoleak context, attackers encapsulate special instructions that exploit ambiguities in natural language processing. For example, while “send confidential information” might be blocked, more subtle variants or encoded instructions can fly under the radar of filtration systems.
Echoleak-style attacks use this to their advantage by:

• Embedding exploitative prompts within regular communications (especially HTML or formatted emails).
• Leveraging AI’s RAG capabilities, which invite the agent to “look up” additional data in mailbox, cloud, or chat repositories.
• Exploiting ancillary system behaviors, such as image or link preview fetching, which cause automated outbound requests—submitting internal data as query params or embedded metadata.

Even if attacks are tailored to the quirks of a given AI’s input parsing, the generic danger inherent to prompt injection means Echoleak is less about one product and more about an entire design paradigm.

Industry Reaction and Calls for New Security Models​

Security professionals have characterized Echoleak as a watershed in the evolution of AI risk. The underlying issue—AI’s indiscriminate processing of mixed-trust data—has prompted urgent industry-wide introspection. Traditional security approaches, such as email spam filtering, DLP (Data Loss Prevention), and user training, are not equipped to address autonomous agents acting on behalf of users.
Adir Glass emphasizes that “ad hoc control methods and new designs” are imperative, allowing clear separation of trusted and untrusted data, perhaps through metadata tagging, sandboxed processing, or more advanced context-aware classifiers. Without this, every AI integration becomes a high-value target for zero-click exploitation.
In response, some vendors are reportedly implementing differential trust zoning, rate limiting for outbound requests, and even more aggressive anomaly detection on AI-generated outbound traffic. However, comprehensive defenses will likely require fundamental re-architecture of how AI agents parse, contextualize, and act on data streams—challenges that will take years of research and engineering to resolve.

Practical Mitigations and Guidance for Enterprises​

While a full solution demands upstream changes from AI designers and platform vendors, organizations can deploy mitigating controls to limit exposure:

• AI Agent Configuration Reviews: System administrators should regularly audit AI agent permissions, especially those related to email, chat, and file system access, restricting them to only necessary scopes.
• Segregation of Duties: AI systems should process external inputs within sandboxed environments, ensuring untrusted communications cannot trigger sensitive internal lookups.
• External Link Filtering and Disabling Auto-Previews: Limit the AI’s ability to automatically fetch external resources, especially images and links, which are prime exfiltration pathways.
• Prompt Injection Testing: Adopt “red team” strategies to simulate prompt injection and zero-click attacks, identifying weaknesses before attackers do.
• Monitoring and Logging: Enable extensive logging for AI-agent-driven outbound requests and anomalous data movement, with alerting for suspicious activities.

The Way Forward: AI and the Changing Cybersecurity Landscape​

Echoleak’s discovery punctuates a rapidly unfolding chapter in the story of AI deployment. As generative AI agents become trusted co-pilots for millions of enterprise users, the “attack surface” is no longer just endpoints or applications—but the very language in which we communicate, store, and request information.
The threat is not limited to Microsoft, Salesforce, or any one vendor—rather, it is systemic and pervasive wherever AI interfaces with mixed-trust data. The industry is now grappling with the new reality that the biggest risk factor might be the very intelligence intended to protect and empower users.
Looking ahead, there are growing calls for regulatory and standards bodies to develop frameworks specific to AI security—both to assess risk in existing deployments and to guide future architectures toward resilience against zero-click and prompt injection exploits. A future in which AI can reliably distinguish between benign and hostile intent will require not only technical innovation, but also a deep rethinking of trust, authentication, and system design.
Echoleak is a clarion call: as we race to infuse AI into every facet of organizational life, a corresponding investment in defensive invention is no longer optional. The boundary between insight and exploitation has never been thinner. Enterprises must act swiftly, transforming their AI security postures to anticipate the sophisticated, invisible threats of tomorrow—because in the world after Echoleak, simply receiving an email could be all it takes to trigger a breach.

---

Source: GIGAZINE A zero-click attack method 'Echoleak' that sends emails to manipulate AI and steal confidential information has been discovered, and there is a risk to all AI systems such as Microsoft Copilot and MCP-compatible services just by receiving an email.