Full Report
Researchers have found a flaw in Microsoft 365 Copilot that allows the exfiltration of sensitive corporate data with a simple email
Analysis Summary
# Vulnerability: EchoLeak - Zero-Click Data Exfiltration in Microsoft 365 Copilot via RAG Flaws
## CVE Details
The provided article does not specify a CVE identifier or a CVSS score.
- CVE ID: Not provided in the source
- CVSS Score: Not provided in the source
- CWE: Related to Prompt Injection/LLM Misuse, potentially CWE-1021 (Improper Restriction of Input during Search Query Generation) or similar LLM-specific weaknesses.
## Affected Systems
- Products: Microsoft 365 Copilot
- Versions: All versions prior to the patch implemented in May 2025.
- Configurations: Any configuration where Copilot utilizes Retrieval Augmented Generation (RAG) over the Microsoft Graph in desktop/web clients supporting Markdown rendering.
## Vulnerability Description
The vulnerability, dubbed 'EchoLeak,' is a novel, zero-click flaw exploiting design flaws common in Retrieval Augmented Generation (RAG) Copilots, such as Microsoft 365 Copilot. It allows an attacker to exfiltrate sensitive corporate data from Copilot's context without needing specific user actions (zero-click). The core technique involves bypassing security measures (XPIA classifiers, link redaction, image redaction, and CSP) to force Copilot to construct an output—specifically a maliciously crafted image URL—containing the sensitive data, which is then sent to an attacker-controlled endpoint.
## Exploitation
- Status: Not exploited in the wild (as of the report date), but a concrete attack vector was demonstrated by researchers.
- Complexity: Medium to High (Requires understanding of multi-stage RAG exploitation, markdown syntax manipulation, and CSP analysis).
- Attack Vector: Network (via specially crafted email).
### Attack Chain Summary (Steps to achieve Zero-Click Exfiltration):
1. **XPIA Bypass:** Craft an email using specific markdown syntax phrased as instructions for the email recipient, tricking Copilot's LLM into processing them.
2. **Link/Image Redaction Bypass:** Instruct Copilot to retrieve sensitive context data and embed it into a reference-style markdown link or image tag URL structure.
3. **Automation:** Use the image markdown technique to automate exfiltration without requiring the user to click a link.
4. **CSP Bypass:** Identify allowed domains specified in the Content-Security-Policy (CSP) (e.g., SharePoint/Teams endpoints) to host the malicious image request, bypassing restrictions on external domain fetching.
## Impact
The attack targets the RAG mechanism to extract data Copilot has access to in its current context based on user permissions.
- Confidentiality: High (Sensitive corporate data can be exfiltrated).
- Integrity: Low (The primary goal is data theft, not system modification).
- Availability: Low (Service availability is generally unaffected).
## Remediation
### Patches
- Microsoft finalized the patch for the vulnerability in **May 2025**. Users should ensure M365 Copilot clients and underlying services are fully updated to incorporate these fixes.
### Workarounds
As this is a zero-click issue executed via email content, direct workarounds for the flaw are difficult until patching is complete. Potential temporary measures include:
1. **Strict Email Scanning:** Enhancing email security gateways to detect known malicious markdown structures intended for LLM manipulation, though this may be difficult due to evolving techniques.
2. **Limiting Copilot Contextual Access:** Reviewing and minimizing the data sources (SharePoint/Teams data sensitivity) available to Copilot for users in high-risk environments until patched.
## Detection
- Indicators of Compromise (IoCs) would center around unusual outbound network traffic originating from user sessions interacting with Copilot, specifically POST requests or image loads referencing internal data structures being sent to external or unexpected domains allowed under the CSP.
- **Detection Methods:** Monitoring network logs for connections matching image loading attempts originating during Copilot interactions where sensitive data patterns are observed in the request URI query strings.
## References
- Vendor Advisory/Source: Aim Labs (Reported January 2025, Patch finalized May 2025)
- Relevant Links:
- Aim Labs detailed findings: `hxxps://www.aim.security/lp/aim-labs-echoleak-blogpost`