Security researchers at Aim Labs have uncovered a sophisticated zero-click vulnerability dubbed "EchoLeak" that enables attackers to automatically extract sensitive data from Microsoft 365 Copilot without requiring any user interaction. Microsoft has assigned this critical vulnerability CVE-2025-32711 and has already implemented a complete fix.
The vulnerability exploits fundamental design weaknesses in Retrieval-Augmented Generation (RAG) systems like M365 Copilot, which integrates with Microsoft Graph to access organisational data, including emails, OneDrive files, SharePoint sites, and Teams conversations.
What makes EchoLeak particularly dangerous is its simplicity—attackers need only send a specially crafted email to their target to initiate the data extraction process.
The attack leverages what researchers term an "LLM Scope Violation," where malicious instructions embedded in an external email cause the AI system to access and exfiltrate privileged organisational data. This represents a new category of AI security threats that exploit the inherent difficulty of validating unstructured inputs to large language models.
 |
| EchoLeak Attack Flow | Image- Aims Lab |
First, they circumvented cross-prompt injection attack (XPIA) classifiers by crafting emails that appear to contain instructions for human recipients rather than AI systems. Next, they exploited weaknesses in Microsoft's link redaction system using reference-style markdown formatting that the security filters failed to recognise.
Perhaps most ingeniously, the attack automatically exfiltrates data by embedding malicious image references that trigger browser requests to attacker-controlled servers.
The researchers bypassed Content Security Policy restrictions by routing requests through legitimate Microsoft Teams infrastructure, specifically through the URL "eu-prod.asyncgw.teams.microsoft.com/urlp/v1/url/content."
To maximise effectiveness, the researchers developed "RAG spraying" techniques that increase the likelihood of malicious emails being retrieved by Copilot's semantic search system. They achieved this by creating emails containing multiple topic-relevant sections, each designed to match various user queries.
Microsoft's security advisory confirms that the vulnerability received a CVSS score of 9.3, indicating critical severity. The company emphasises that the vulnerability has been "fully mitigated" and requires no customer action, as the fix was implemented on the service side.
Microsoft noted that there's no evidence of any real-world exploitation, so this flaw impacted no customers.