Prompt InjectionCritical

EchoLeak: Zero-Click Prompt Injection Exfiltrates Data From Microsoft 365 Copilot

Microsoft

What Happened

Researchers at Aim Labs disclosed a zero-click flaw in Microsoft 365 Copilot in which a single crafted email planted hidden instructions that Copilot later pulled into its context via retrieval. The payload evaded Microsoft's cross-prompt-injection classifier, defeated link redaction using reference-style Markdown, and abused an auto-fetched image plus an allowlisted Teams/SharePoint proxy to silently ship data out. No user click or interaction was required, making it the first documented case of prompt injection weaponized for concrete exfiltration in a production LLM system.

Impact

Any organizational data within Copilot's reach - emails, OneDrive and SharePoint files, Teams chats, and prior conversation content - could be leaked to an attacker. Microsoft assigned CVE-2025-32711 (CVSS 9.3) and shipped a server-side fix; no customer action was required.

How to Prevent This

  • Treat all retrieved/RAG content and inbound email as untrusted; never let it carry executable instructions into the model context
  • Strip or neutralize Markdown image and link auto-loading in AI output rather than relying on redaction heuristics
  • Enforce a strict content security policy and audit allowlisted proxy domains that could serve as exfiltration channels
  • Apply output-side data loss prevention that blocks the assistant from emitting internal data to external endpoints
  • Red-team AI assistants specifically for indirect prompt injection before granting them access to sensitive corpora

Don't Let Your Company Be the Next Case Study

Take our 2-minute quiz to identify your AI risks before they become failures.

Assess Your AI Risks Now →

Most teams can't — find out in 2 minutes

Real AI failures analyzed • Free 2-minute assessment