All articles
AI & Emerging Tech · 3 Jul 2025 · 2 min read

Breaking down EchoLeak: a zero-click AI vulnerability in Microsoft 365 Copilot

Researchers at Aim Labs disclosed "EchoLeak", the first known zero-click vulnerability in Microsoft 365 Copilot that could silently exfiltrate sensitive organisational data. The flaw exploited what they termed an "LLM scope violation", letting an attacker extract data from the Copilot context, chat histories, OneDrive files, SharePoint content, simply by sending a crafted email to the target, with no user interaction at all.

How EchoLeak worked

The attack chain unfolded entirely server-side within Copilot's retrieval-augmented-generation (RAG) architecture. An adversary crafted an email containing a malicious prompt, which Copilot unknowingly executed when querying its context. Because the prompt exploited an internal scope violation, Copilot then transmitted the retrieved data, from private chat transcripts to Graph-fetched documents, back to the attacker, without a single click from the user.

The scope of exfiltration

  • The entire Copilot context, including full conversation histories and any preloaded organisational information.
  • Microsoft Graph resources, emails, calendar, OneDrive and SharePoint files.
  • Proprietary and personal data, from internal memos to customer PII.

That breadth opens the door to corporate espionage and targeted extortion, harvesting strategic roadmaps or sensitive personal data without detection.

Microsoft's response

On responsible disclosure in January 2025, Microsoft assigned EchoLeak the identifier CVE-2025-32711 and implemented a server-side fix in May 2025, closing the vector without requiring any customer-side update. Microsoft reported no evidence of real-world exploitation before the patch.

What to do now

  1. Confirm the May 2025 server-side update has been applied to your tenant.
  2. Restrict Copilot's ability to process emails from unverified or external senders via Conditional Access.
  3. Integrate Copilot API logs into your SIEM to detect anomalous exfiltration patterns.
  4. Harden AI governance, define and enforce data-handling policies for AI agents, including strict DLP around Copilot queries.

Lessons for a post-AI risk landscape

EchoLeak is a preview of the attack surface AI agents introduce. As Copilot embeds into daily work, treat AI queries as external endpoints with least-privilege access to data sources, run AI-specific threat modelling and red-teaming, and update incident-response playbooks for scenarios where an AI agent becomes the exfiltration vector. The productivity is real, but so is the new risk.

This is exactly the readiness work we do before turning Copilot on: data discovery and labelling, permission tightening and inline guardrails. See our Secure AI and Data Protection work, with Netskope and Cyera, and start with a cyber health check.

Rolling out Copilot? Secure it first.