What Happened
Researchers at Aim Labs disclosed a zero-click flaw in Microsoft 365 Copilot in which a single crafted email planted hidden instructions that Copilot later pulled into its context via retrieval. The payload evaded Microsoft's cross-prompt-injection classifier, defeated link redaction using reference-style Markdown, and abused an auto-fetched image plus an allowlisted Teams/SharePoint proxy to silently ship data out. No user click or interaction was required, making it the first documented case of prompt injection weaponized for concrete exfiltration in a production LLM system.
Impact
Any organizational data within Copilot's reach - emails, OneDrive and SharePoint files, Teams chats, and prior conversation content - could be leaked to an attacker. Microsoft assigned CVE-2025-32711 (CVSS 9.3) and shipped a server-side fix; no customer action was required.
How to Prevent This
- Treat all retrieved/RAG content and inbound email as untrusted; never let it carry executable instructions into the model context
- Strip or neutralize Markdown image and link auto-loading in AI output rather than relying on redaction heuristics
- Enforce a strict content security policy and audit allowlisted proxy domains that could serve as exfiltration channels
- Apply output-side data loss prevention that blocks the assistant from emitting internal data to external endpoints
- Red-team AI assistants specifically for indirect prompt injection before granting them access to sensitive corpora