Recommended reading

Microsoft Copilot targeted in first “zero-click” attack on an AI agent - what you need to know

News
By published

Security researchers discover a way to extract sensitive information from AI agent

generative ai business use
(Image credit: Shutterstock / thanmano)
  • Security researchers Aim Labs discovered an LLM Scope Violation flaw in Microsoft 365 Copilot
  • The critical-severity bug allows threat actors to exfiltrate sensitive corporate data by sending an email
  • Microsoft says it has fixed the issue server-side, but users should be on guard

Microsoft has fixed a dangerous zero-click attack in its Generative Artificial Intelligence (GenAI) model which could have allowed threat actors to silently exfiltrate sensitive corporate data without (almost) any user interaction.

Cybersecurity researchers Aim Labs, who found the flaw, known as an “LLM Scope Violation”, and dubbed it EchoLeak.

Here is how it works: A threat actor sends a seemingly innocuous email message to the target, which contains a hidden prompt that instructs Copilot to exfiltrate sensitive data to an attacker-controlled server. Since Copilot is integrated into Microsoft 365, that data can include anything from intellectual property files, to business contracts and legal documents, or from internal communications, to financial data.

Critical vulnerability

The researchers note the prompt needs to be phrased like speaking to a human, so that it bypasses Microsoft’s XPIA (cross-prompt injection attack) defenses.

Later, when the victim interacts with Copilot and asks a business-related question, the LLM will pull all of the relevant data (including the attackers’ email message) and will end up executing it. The files are stored in a crafted link or an image.

The bug was assigned the CVE-2025-32711 identifier, and was given a severity score of 9.3/10 (critical). It was fixed server-side in May, meaning users don’t need to do anything. Microsoft also said that there is no evidence that the flaw had been exploited in the past, and none of its customers were impacted.

Microsoft 365 is one of the most popular cloud-based communications and online collaboration tools, combining office apps (Word, Excel, and others), cloud storage (OneDrive and SharePoint), email and calendar (Outlook, Exchange), and communications tools (Teams).

Recently, Microsoft integrated its Generative AI model, Copilot, into Microsoft 365, allowing users to draft and summarize emails, generate and edit documents, create data visualizations and analyze trends, and more.

Via BleepingComputer

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.