EchoLeak: The Zero-Click AI Exploit That Threatens Microsoft 365 Copilot Security

A seismic shift has rippled through the cybersecurity community with the disclosure of EchoLeak, the first publicly reported "zero-click" exploit targeting a major AI tool: Microsoft 365 Copilot. Developed by AIM Security, EchoLeak exposes an unsettling truth: simply by sending a cleverly engineered email, a threat actor can silently siphon confidential business data—no interaction, no clicks, not even a hint of suspicious behavior required from the intended victim. For organizations racing to embrace generative AI productivity, this revelation underscores a new epoch of risks and responsibilities.

Understanding Zero-Click AI Exploits: The EchoLeak Paradigm​

Traditional phishing and malware attacks typically depend on social engineering—luring the user to click malicious links, download files, or divulge secrets. Zero-click exploits, in contrast, require no action from the victim. In the AI era, as tools like Copilot weave themselves into the fabric of everyday business operations, zero-click AI exploits mark a calamitous new frontier.
EchoLeak works by manipulating the way Copilot’s underlying large language models (LLMs), such as OpenAI’s GPT family, interpret and process user data. Instead of exploiting typical vulnerabilities such as buffer overflows or scripting flaws, EchoLeak exploits what AIM Security describes as an "LLM scope violation." Attackers embed covert instructions in benign-looking emails—an approach that bypasses traditional defenses designed for human interaction, not machines that read and respond contextually to all incoming data.

Anatomy of the EchoLeak Attack​

AIM Security’s report outlines a sophisticated, multi-pronged attack chain that exposes systemic blind spots in both AI model design and enterprise deployment:

1. Circumventing XPIA Classifiers​

Microsoft deploys protective classifiers—collectively called XPIA—to screen for suspicious prompts and block prompt injections. EchoLeak sidesteps these with "natural language" exploits; the attacker writes instructions in plausible, business-like English, evading XPIA by avoiding explicit technical content or obvious suspicious cues.

2. Breaking Link Redaction with Markdown Tricks​

Microsoft 365 Copilot is designed to strip or sanitize external links, a classic data exfiltration vector. However, AIM Security discovered that by exploiting nuances in Markdown syntax, attackers can create links that withstand these sanitization layers. When processed by Copilot, they trigger HTTP requests—often embedding confidential data in the URL path—unbeknownst to the user.

3. Image Tag Exploitation​

A particularly devious technique in the EchoLeak chain leverages Markdown image tags. While images from external domains are usually blocked by Microsoft’s Content Security Policy (CSP), Copilot can be prompted to auto-generate image links. When Copilot parses such an email, the preview function may cause the browser to "fetch" the image source, thus sending private contextual data to the attacker—again, with zero user interaction.

4. CSP Bypass through Microsoft Services​

To further evade detection, attackers have found methods to route exfiltration traffic through allowed, authenticated Microsoft domains, such as Teams or SharePoint. By embedding data in requests to these trusted services, the exploit circumvents many standard network and endpoint protection tools.

5. RAG Spraying: Persistence via Volume or Chunking​

RAG, or Retrieval-Augmented Generation, is a method Copilot uses to ingest and summarize large sets of contextual business data. Attackers can boost their chances of successful exfiltration via "RAG spraying," either by:

• Sending many short, slightly varied emails (increasing the attack's touchpoints within the AI’s memory), or
• Crafting a very long email that the system auto-chunks during processing, thus raising the frequency by which malicious payloads are ingested and executed.

What’s at Stake: The Breadth and Depth of the Blast Radius​

Microsoft 365 Copilot is not just an email tool. By design, it spans the organizational tech stack:

• Outlook email bodies, subjects, and attachments
• Teams chat transcripts
• SharePoint sites and internal documentation
• OneDrive files
• Calendar and scheduling data

The scope is governed by user privileges and role-based access control, but EchoLeak circumvents these boundaries. Attacks succeed not by breaching identity or permissions directly, but by tricking the AI into overreaching—exposing confidential summaries, file contents, or even sensitive internal links to the attacker’s infrastructure.
As the AIM Security report noted, a user with what should be "underprivileged" access can, through EchoLeak, harvest highly privileged or sensitive data, simply by sending a well-crafted message. The risk is not just theoretical: any organization relying on Copilot for knowledge work and data synthesis faces the possibility of silent, automated, credential-less exfiltration.

Microsoft’s Response and Risk Mitigation​

Microsoft, responsible for one of the largest SaaS and AI deployments in the world, moved quickly to investigate and neutralize the flaw. The vulnerability has been formally cataloged as CVE-2025-32711 and rated "Critical" with a near-maximum CVSS severity score of 9.3. Microsoft’s Security Response Center described it as “AI command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network.” Their statement assures users that "no customer action is required," as mitigations have already been deployed server-side.
For its part, Microsoft thanked the AIM Security research group for responsible disclosure—a standard but essential practice given the sensitivity of new, AI-driven attack surfaces. Organizations are advised to apply all patch rollouts promptly and monitor MSRC advisories for further developments.

Critical Analysis: Strengths, Weaknesses, and the AI Supply Chain’s New Risks​

Notable Strengths in Microsoft’s Ecosystem​

• Rapid Patching and Coordinated Disclosure: Microsoft’s swift mitigation demonstrates robust internal incident response. They've also reinforced the principle that AI-centric vulnerabilities should be treated on par with classic software flaws.
• Layered AI Defenses: XPIA classifiers and CSP controls remain integral, even if imperfect, showing ongoing efforts to adapt traditional cyber protections for LLM-based systems.
• Transparency and Public CVE Assignment: Official assignment of CVE-2025-32711, and open collaboration with security researchers, reinforces ecosystem trust—even as it exposes significant frailties.

Systemic Vulnerabilities and Unfolding Risks​

• Generative AI’s Expanding Attack Surface: EchoLeak proves that classic security boundaries—email filtering, permissions, role-based access—can be bypassed when a large language model acts as a privileged data broker. Copilot, by necessity, has broad read access for context synthesis, but attackers can hijack this access invisibly.
• Prompt Injection Saturation: Unlike conventional injections, which might rely on scripting languages or malformed packets, prompt injection can take on the bland vernacular of daily business email, making detection by both humans and AI much harder. Heading off the next attack will require not just better classifiers but a more systemic overhaul of how AI agents interpret and compartmentalize data.
• Unintended Data Flow via Markdown and Images: Markdown, a format favored for its simplicity and ease of use, becomes the vehicle for data exfiltration—a scenario few legacy security tools are equipped to police. CSP rules, while robust, are not foolproof when canonical domains (like Microsoft SharePoint) are themselves weaponized.
• Multi-Vector, Automated Attack Chains: The “RAG spraying” tactic highlights how attackers will increasingly think like AI operators: using automation and scale to maximize odds of compromise, not just traditional spear-phishing tactics.

The Larger Implications: Trust, Governance, and the Future of Enterprise AI​

Enterprise trust in generative AI depends not just on productivity gains but on resilient security. EchoLeak serves as a high-profile warning: AI assistants, by design, lower the barriers between user input and privileged backend data stores. The very features that make Copilot powerful—the ability to synthesize, summarize, and act broadly on an organization’s digital assets—make it a sublime target.
As more organizations ingest proprietary contracts, HR records, medical files, and customer correspondence into their AI contexts, adversaries are evolving to exploit these new “sharing intermediaries.” In effect, the generative AI agent becomes the attack pivot: able to read everything, sometimes gullible enough to repeat anything.

Action Points: How Organizations Can Respond​

Although Microsoft has addressed the root of EchoLeak in Copilot, the wider lesson is that AI-enabled “zero-click” vulnerabilities will proliferate unless organizations:

• Strengthen Data Governance: Limit AI access to only what is strictly necessary. Employ managed application boundaries and tight data labeling.
• Audit and Monitor AI Actions: Log and review AI assistant outputs, especially those that interface with external communications. Look for anomalous requests or summaries containing sensitive content.
• Educate All Users on AI Risks: Ensure staff—from end users to administrators—understand not just standard phishing but the subtler play of prompt injection, context hijacking, and data leakage via AI.
• Push for Continuous Red-Teaming: Regular penetration testing must now include prompt injection, markdown exploits, and supply chain/LLM context attacks.
• Demand Independent Security Reviews of AI Vendors: Insist that providers, whether Microsoft or otherwise, adhere to established security standards for LLM operations, redaction, and sandboxing.

Looking Ahead: The New Normal for AI Security​

EchoLeak may be the first in a coming wave of zero-click AI exploits. As office workers, students, and executives become ever more reliant on generative AI tools, the security debate must shift decisively. It’s not merely about patching code but about engineering resilient, least-privilege AI agents that cannot be easily weaponized through clever language or formatting.
Defensive AI—tools built to police and audit LLMs in real time—may soon be required as a checkpoint before action is taken or data is summarized and sent. Hybrid architectures, where an “AI auditor” stands between the LLM and core business systems, are likely to be piloted by forward-thinking organizations.
Finally, enterprises must realize that AI operations—like classic SaaS or cloud—require their own patch cycles, incident responses, and expertise. The capacity to respond to, and recover from, LLM-based exploits will be a new competitive differentiator in a world where data, insight, and vulnerability are more entwined than ever before.

Conclusion: EchoLeak as a Cautionary Milestone​

The disclosure of EchoLeak and Microsoft’s rapid mitigation reset the narrative for AI-assisted office productivity. The convenience and capability of Copilot—and similar offerings—must be balanced against the reality of novel, automation-friendly attack chains. Zero-click exploits in AI will not be easily banished. Rather, they mandate a new discipline of LLM-aware cybersecurity hygiene, cross-functional vigilance, and the humility to recognize that, in the generative AI era, nothing is truly “set and forget.”
In this new reality, enterprise resilience will depend just as much on how an organization thinks about—and configures—their AI as on the speed with which a software patch is deployed. EchoLeak is more than a vulnerability; it is a preview of attacks yet to come. Let it be a warning, and a catalyst, for everyone building, buying, or trusting enterprise AI.

---

Source: TechRepublic First Known 'Zero-Click' AI Exploit: Microsoft 365 Copilot's EchoLeak Flaw