4 Min Read Microsoft 365 Copilot contained a critical zero-click vulnerability that allowed attackers to exfiltrate sensitive company data simply by sending a malicious email. The flaw, discovered by researchers at Aim Security and dubbed “EchoLeak,” required no user interaction whatsoever. The AI assistant would leak confidential information automatically when it processed certain email content.
Microsoft patched CVE-2025-32711 server-side in May 2025. The company did not issue a traditional advisory or require customer action, addressing the vulnerability through backend cloud service updates instead. No evidence of real-world exploitation has surfaced but the attack technique is sophisticated enough that Aim Labs managed to chain multiple bypasses to achieve what they term “LLM Scope Violation” tricking the AI into violating its trust boundaries and accessing data it should not reach.
CVSS Scoring Confusion Clouds the Real Risk
The vulnerability carries conflicting severity ratings depending on who you ask. Research firm reports cite a CVSS score of 9.3 while the NIST National Vulnerability Database lists it at 7.5. Both sources reference the same CVE number CVE-2025-32711, but the disparity reflects ongoing problems with CVSS accuracy across different assessors.
The 9.3 rating appears to come from vendor-associated sources while NIST’s 7.5 assessment likely reflects more conservative scoring criteria around user interaction requirements. Given that EchoLeak requires the victim organization to actively use Copilot features and process external email content through the AI system, the lower NIST score may be more accurate.
The Attack Used Natural Language, Not Code
EchoLeak exploited how Copilot processes contextual data when assisting users with tasks. Researchers embedded malicious prompt instructions in common business documents using invisible text, HTML comment tags or white-on-white formatting that users could not see but Copilot’s engine parsed fully.
The payload was pure text, not executable code. When a user later asked Copilot a legitimate question about recent emails or documents, the AI’s retrieval system would pull the earlier malicious content into context and treat the hidden instructions as part of the current request. The result, Copilot would summarize sensitive data and send it to attacker-controlled servers via auto-loading images, all without the user knowing anything had happened.
According to the research published by Aim Labs, attackers could chain this technique with “RAG spraying” injecting malicious prompts across multiple documents to increase the likelihood that one would be retrieved during a future Copilot interaction.
Traditional Defences Were Useless Against This Attack
The attack bypassed multiple layers of Microsoft’s existing security controls. It evaded the company’s XPIA (Cross Prompt Injection Attempt) classifier through specific phrasing techniques. It circumvented Copilot’s link redaction mechanisms using reference-style Markdown formatting. Most importantly, it abused Microsoft’s own content security policy by using Teams proxy domains that were automatically trusted by the system.
Conventional security tools offered no protection because the malicious payload contained no signatures, file attachments or executable code that antivirus or network monitoring could detect. The attack executed entirely within the natural language processing space making it invisible to traditional threat detection systems.
Microsoft’s server-side fix limits Copilot’s ability to follow hidden adversarial prompts embedded in files, though the company has not published technical details about exactly what was changed.
What Copilot Users Should Do Now
Microsoft’s server-side patch is already applied across Microsoft 365 environments, so no customer action is required to address the specific EchoLeak vulnerability. However, organizations should consider additional steps to reduce exposure to similar AI-targeted attacks.
Review which users have Copilot access and consider restricting it in high-sensitivity workflows like executive communications or legal document reviews. Disable external email context in Copilot settings if your organization does not need the AI to reference emails from outside contacts. Use document sanitization tools to strip hidden text, speaker notes and metadata from files before sharing them broadly.
The broader lesson from EchoLeak is that AI assistants create new attack surfaces that existing security controls were not designed to handle. As these systems become more deeply integrated into business workflows, organizations need to rethink their approach to data loss prevention and insider threat monitoring to account for AI-mediated data access patterns.
References
- Microsoft Security Response Center – CVE-2025-32711
- NIST National Vulnerability Database – CVE-2025-32711
- Preventing Zero-Click AI Threats: Insights from EchoLeak
- EchoLeak: The First Real-World Zero-Click Prompt Injection Exploit
- Inside CVE-2025-32711: Prompt injection meets AI exfiltration
This post is also available in:
Svenska
Related News
cPanel Zero-Day Exploited for Months Before Patch 44,000 Servers Hit
A critical authentication bypass vulnerability in cPanel has been under active exploitation since February, two months before the vendor issued a patch. CVE-2026-41940 carries a…
May 5, 2026 CISA Fast-Tracks Nine-Year-Old Linux Root Bug to Known Exploited List
CISA added CVE-2026-31431 to its Known Exploited Vulnerabilities catalogue on Friday, confirming that a nine-year-old Linux kernel flaw is being exploited in live attacks. The…
May 4, 2026 
