Researchers at Aim Labs have uncovered a zero-click vulnerability in Microsoft 365 Copilot, dubbed “EchoLeak.” This flaw allows threat actors to extract sensitive data from a user’s environment without any user interaction, no clicks, no downloads, no warnings.
The finding is the first known instance of a zero-click exploit in a major generative AI assistant, and could be the start of a shift in how malicious actors target AI systems.
Researchers at Aim Labs discovered the attack and reported it to Microsoft. The company classified the issue as a critical information disclosure vulnerability, assigning it the identifier CVE-2025-32711. Microsoft resolved the flaw server-side in May, meaning users do not need to take any action.
A New Class of Exploitation: LLM Scope Violation
At the core of this discovery is a novel technique Aim Labs calls a “LLM Scope Violation.” Unlike traditional prompt injection, where the attacker’s commands are easily identifiable and often filtered, this approach tricks the AI into pulling sensitive, internal data into its output stream, all without the user’s intent or knowledge.
The attack exploits the way large language models (LLMs) like OpenAI’s GPT (used in Microsoft 365 Copilot) interpret and respond to unstructured prompts. Instructions delivered via a simple, external email, crafted to look benign, are misinterpreted by the Copilot as internal commands. Once parsed, those instructions prompt the AI to reach into the user’s Microsoft Graph context and leak data.
And there’s the twist: no clicks are needed.
How M365 Copilot Became the Target
Microsoft 365 Copilot is an AI assistant based on Retrieval-Augmented Generation (RAG). It uses RAG to source and present organizational data in a user-friendly, conversational interface. Its strength lies in its integration with the Microsoft Graph, which allows it to reach into user mailboxes, OneDrive, SharePoint sites, and Teams history to produce highly relevant responses.
This convenience introduces risk. Copilot inherits the same access rights as the user, and the AI’s design assumes that only trusted individuals are issuing commands.
Aim Labs’ research shows otherwise.
Breaking the Chain: From Email to Exfiltration
The attack begins with a simple email. Written to appear as a normal message, it avoids keywords typically associated with AI prompts, sidestepping Microsoft’s XPIA (cross-prompt injection attack) filters. From there, the attack unfolds in three key steps:
Prompt Injection Bypass: By phrasing instructions conversationally, the malicious message slips past existing filters. There’s no mention of Copilot or AI. No red flags. Just ordinary text.
Markdown Link Redaction Bypass: Copilot normally strips clickable links to external domains. But Aim Labs found a way around this. Reference-style markdown links (less commonly used) are not removed. These can carry encoded data to an attacker’s server, disguised as harmless URLs.
Image-Based Exfiltration via CSP Bypass: Markdown images offer another route. When Copilot outputs an image using a crafted URL, the browser attempts to fetch it automatically. The trick lies in getting around Microsoft’s Content Security Policy (CSP), which limits the domains from which content can be loaded. By digging into Microsoft’s allowed list, the researchers discovered that Teams and SharePoint Online could be manipulated to relay sensitive data to attacker-controlled endpoints.
Each step advances the chain without the victim ever clicking or replying.
Zero Interaction, Total Exposure
Unlike phishing attacks that rely on social engineering, EchoLeak requires no action from the target. That’s what makes it dangerous. The bad actor does not need the victim to be careless, only present. If the Copilot processes the malicious message within its context, the leak occurs.
While Microsoft 365 Copilot is restricted to internal organizational use, the vulnerability can be triggered by any external sender. The barrier to entry is low and the impact, high.
Why Existing Frameworks Fall Short
EchoLeak touches three known OWASP vulnerability classes for LLMs, LLM01 (prompt injection), LLM02 (data leakage), and LLM04 (overreliance on training data). But Aim Labs argues the industry lacks precision.
The term LLM Scope Violation aims to fill that gap. It describes the condition where untrusted external inputs cause the LLM to act on internal, privileged data, violating the principle of least privilege without detection.
The researchers draw a comparison to buffer overflows in traditional security. Just as “stack overflow” became a meaningful subcategory for targeted defense, “LLM Scope Violation” could help guide more refined mitigations for AI systems.
Mitigation and Responsible Disclosure
Aim Labs disclosed the attack chains to Microsoft’s Security Response Center (MSRC), and notes that no in-the-wild exploitation has been observed to date.
The firm continues its work in AI security, focusing on developing runtime guardrails and detection strategies that go beyond simple pattern-matching or filtering. As AI agents grow more autonomous and embedded in enterprise systems, new types of defensive frameworks are needed, ones that understand the nuances of language, intent, and contextual privilege.
EchoLeak is a warning. As enterprises lean heavily on AI assistants for productivity, the lines between human instruction and machine execution blur. The same systems that summarize your email, prepare your report, or analyze financials can be manipulated to leak them.
The exploit is elegant. The implications, far-reaching.
Microsoft has not commented publicly on the disclosure, but given the technical depth and accessibility of the attack, further industry scrutiny is likely. If zero-click vulnerabilities are now possible in AI assistants, the security model for enterprise AI will need urgent re-evaluation.
Aim Labs has published a detailed technical breakdown on its site. The research team continues to explore additional variants and encourages the industry to collaborate on building smarter, more granular defenses for AI-driven systems.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.