Full Report
A novel attack technique named EchoLeak has been characterized as a "zero-click" artificial intelligence (AI) vulnerability that allows bad actors to exfiltrate sensitive data from Microsoft 365 Copilot's context sans any user interaction. The critical-rated vulnerability has been assigned the CVE identifier CVE-2025-32711 (CVSS score: 9.3). It requires no customer action and has been already
Analysis Summary
# Vulnerability: EchoLeak - Zero-Click Data Exfiltration in M365 Copilot
## CVE Details
- CVE ID: CVE-2025-32711
- CVSS Score: 9.3 (Critical)
- CWE: Not explicitly stated, but relates to AI Command Injection / LLM Scope Violation.
## Affected Systems
- Products: Microsoft 365 Copilot
- Versions: Not specified, but applies to the deployed service at the time the patch was released.
- Configurations: Any configuration utilizing M365 Copilot where untrusted content (e.g., external emails) enters the context processing pipeline (via RAG).
## Vulnerability Description
This is a "zero-click" Artificial Intelligence (AI) vulnerability in Microsoft 365 Copilot identified as EchoLeak. It is an instance of Large Language Model (LLM) Scope Violation leading to indirect prompt injection. An attacker can embed exploit instructions within untrusted content (like an incoming email). When the user subsequently queries Copilot, the Retrieval-Augmented Generation (RAG) engine incorrectly mixes the attacker's input with privileged internal data from the user's M365 context. This manipulation forces Copilot to exfiltrate the most sensitive data from its current context directly to the attacker, often via Microsoft Teams or SharePoint URLs, without requiring any specific user action following the initial email delivery.
## Exploitation
- Status: Addressed; No evidence of malicious exploitation in the wild reported.
- Complexity: Low (Described as "zero-click" once the initial malicious email is delivered).
- Attack Vector: Network (Via initially delivered email leading to context manipulation).
## Impact
- Confidentiality: High (Allows unauthorized disclosure and exfiltration of sensitive and proprietary information).
- Integrity: Low (The primary goal is information leakage, not data modification).
- Availability: Low (No reported impact on service availability).
## Remediation
### Patches
- Microsoft has addressed this flaw as part of its June 2025 Patch Tuesday release. Customers using up-to-date M365 Copilot installations should be protected.
### Workarounds
- No specific workarounds are detailed, as Microsoft has already deployed a fix. User awareness regarding inspecting content sources before querying Copilot might serve as a temporary measure until patching is confirmed.
## Detection
- Indicators of compromise would involve monitoring outbound network traffic or unusual data retrieval patterns originating from the M365 Copilot service interacting with external endpoints (Teams/SharePoint destinations not related to the user's immediate business context).
- Detection hinges on effective filtering of malicious payloads embedded in inbound/untrusted email content that could trigger the LLM scope violation.
## References
- Vendor Advisory: Https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2025-32711
- Discovery Report: Https://www.aim.security/lp/aim-labs-echoleak-m365
- Related Topic (Indirect Prompt Injection): Https://thehackernews.com/2025/05/gitlab-duo-vulnerability-enabled.html