Microsoft Copilot targeted in first “zero-click” attack on an AI agent – what you need to know
- Security researchers Aim Labs discovered an LLM Scope Violation flaw in Microsoft 365 Copilot
- The critical-severity bug allows threat actors to exfiltrate sensitive corporate data by sending an email
- Microsoft says it has fixed the issue server-side, but users should be on guard
Microsoft has fixed a dangerous zero-click attack in its Generative Artificial Intelligence (GenAI) model which could have allowed threat actors to silently exfiltrate sensitive corporate data without (almost) any user interaction.
Cybersecurity researchers Aim Labs, who found the flaw, known as an “LLM Scope Violation”, and dubbed it EchoLeak.
Here is how it works: A threat actor sends a seemingly innocuous email message to the target, which contains a hidden prompt that instructs Copilot to exfiltrate sensitive data to an attacker-controlled server. Since Copilot is integrated into Microsoft 365, that data can include anything from intellectual property files, to business contracts and legal documents, or from internal communications, to financial data.
Critical vulnerability
The researchers note the prompt needs to be phrased like speaking to a human, so that it bypasses Microsoft’s XPIA (cross-prompt injection attack) defenses.
Later, when the victim interacts with Copilot and asks a business-related question, the LLM will pull all of the relevant data (including the attackers’ email message) and will end up executing it. The files are stored in a crafted link or an image.
The bug was assigned the CVE-2025-32711 identifier, and was given a severity score of 9.3/10 (critical). It was fixed server-side in May, meaning users don’t need to do anything. Microsoft also said that there is no evidence that the flaw had been exploited in the past, and none of its customers were impacted.
Microsoft 365 is one of the most popular cloud-based communications and online collaboration tools, combining office apps (Word, Excel, and others), cloud storage (OneDrive and SharePoint), email and calendar (Outlook, Exchange), and communications tools (Teams).
Recently, Microsoft integrated its Generative AI model, Copilot, into Microsoft 365, allowing users to draft and summarize emails, generate and edit documents, create data visualizations and analyze trends, and more.
Via BleepingComputer
You might also like
Security researchers Aim Labs discovered an LLM Scope Violation flaw in Microsoft 365 Copilot The critical-severity bug allows threat actors to exfiltrate sensitive corporate data by sending an email Microsoft says it has fixed the issue server-side, but users should be on guard Microsoft has fixed a dangerous zero-click attack…
