Executive Summary
The recently disclosed Copilot 'SearchLeak' Attack (also known as EchoLeak, CVE-2025-32711) represents a paradigm shift in the threat landscape for organizations leveraging AI-powered productivity tools, specifically Microsoft 365 Copilot. This zero-click vulnerability enables adversaries to exfiltrate sensitive corporate data with a single, specially crafted email—requiring no user interaction. The attack exploits prompt injection and context inheritance mechanisms inherent to Retrieval Augmented Generation (RAG) AI systems, allowing malicious instructions to be surreptitiously executed by Copilot. Although Microsoft released a server-side patch in May 2026, the underlying class of risk persists for any organization utilizing RAG-based AI assistants. As of this report, there are no confirmed cases of exploitation in the wild, but the attack’s stealth, practicality, and potential impact demand immediate attention and robust mitigation.
Technical Information
The EchoLeak (CVE-2025-32711) vulnerability is a zero-click, indirect prompt injection flaw affecting Microsoft 365 Copilot integrations across Word, Excel, PowerPoint, Outlook, and Teams. The attack chain begins when an adversary sends a benign-appearing email containing a hidden prompt payload—typically embedded as an HTML comment or rendered as white-on-white text. This payload is invisible to the end user but is parsed and retained by Copilot’s LLM engine.
When a user subsequently interacts with Copilot (for example, requesting a summary of recent strategy updates), the RAG engine retrieves the earlier email as part of its context window. The hidden prompt is then executed as part of the LLM’s instructions, causing Copilot to leak sensitive data—such as summaries of internal documents, emails, or files—without any user awareness or interaction. This attack is further amplified by “RAG spraying,” where attackers inject malicious prompts into multiple emails or documents, increasing the likelihood that one will be included in Copilot’s context during a legitimate query.
The EchoLeak attack leverages several advanced security bypasses. The XPIA bypass involves crafting prompts that evade Microsoft’s cross-prompt injection attack classifiers. The link/image redaction bypass exfiltrates sensitive data via markdown links or images, circumventing standard redaction mechanisms by using reference-style markdown. The CSP bypass exploits allowed domains, such as SharePoint or Teams, to evade Content Security Policy restrictions.
The impact of this vulnerability is profound. Any data accessible to Copilot’s context—including emails, Teams messages, OneDrive, SharePoint, and Office files—can be silently exfiltrated. The attack is entirely zero-click, requiring no user interaction, and is nearly invisible due to its exploitation of AI context inheritance and prompt execution.
Indicators of compromise include unusual Copilot responses (such as providing summaries or data not explicitly requested), the presence of hidden prompts in emails or documents, and unexpected outbound data in Copilot responses (such as sensitive summaries or links/images with appended query strings).
From a threat modeling perspective, EchoLeak aligns with several MITRE ATT&CK TTPs: T1566.001 (Phishing: Spearphishing Attachment), T1204 (User Execution, though the attack is zero-click), T1056 (Input Capture via context manipulation), and T1567 (Exfiltration Over Web Service).
Exploitation in the Wild
As of June 2026, there are no confirmed reports of EchoLeak being exploited in the wild. However, the attack is highly practical and weaponizable. Security researchers have demonstrated proof-of-concept exploits, and the underlying technique is broadly applicable to other RAG-based AI assistants. The absence of confirmed exploitation should not be interpreted as a lack of risk; rather, it underscores the importance of proactive mitigation and monitoring.
APT Groups using this vulnerability
There is currently no public attribution of EchoLeak exploitation to any specific Advanced Persistent Threat (APT) group. Nevertheless, the sophistication and stealth of the attack place it well within the capabilities of advanced threat actors, particularly those specializing in supply chain compromise or business email compromise (BEC) campaigns. The technique’s reliance on prompt injection and context manipulation is consistent with the evolving tactics of APT groups targeting AI-powered enterprise environments. Organizations in sectors handling sensitive data—such as finance, legal, healthcare, government, and technology—should consider themselves at elevated risk.
Affected Product Versions
All versions of Microsoft 365 Copilot prior to the May 2026 server-side patch are affected. This includes all Copilot integrations with Word, Excel, PowerPoint, Outlook, and Teams. The vulnerability is tracked as CVE-2025-32711. According to the National Vulnerability Database (NVD) and vendor advisories, the CPE configuration is cpe:2.3:a:microsoft:365_copilot:-:*:*:*:*:*:*:*, indicating that all versions are affected unless patched.
Organizations should reference the following for detailed version information and patch status: NVD Entry for CVE-2025-32711, Microsoft Security Response Center Advisory, and the Aim Security Disclosure.
Workaround and Mitigation
The primary mitigation is to ensure that your Microsoft 365 Copilot environment is fully updated with the server-side patch released by Microsoft in May 2026. Organizations should also consider the following defense-in-depth strategies: restrict Copilot’s access to external email context via administrative settings, limit markdown rendering in Copilot outputs to reduce prompt injection risk, and implement AI-specific guardrails at the firewall or network layer to monitor and block suspicious AI activity.
Continuous monitoring for hidden prompts—such as HTML comments or white-on-white text in emails and documents—is essential. Leveraging AI-powered email security solutions, such as those offered by Trend Micro, can help detect and block invisible prompt injection attempts. Security teams should also monitor for unusual Copilot responses and unexpected outbound data, which may indicate compromise.
References
Aim Security Disclosure (Original Researchers): https://www.aimsecurity.ai/blog/echoleak-zero-click-copilot-vulnerability Infosecurity Magazine Coverage: https://www.infosecurity-magazine.com/news/microsoft-365-copilot-zeroclick-ai/ Trend Micro Analysis: https://www.trendmicro.com/en_us/research/25/g/preventing-zero-click-ai-threats-insights-from-echoleak.html Checkmarx Deep Dive: https://checkmarx.com/zero-post/echoleak-cve-2025-32711-show-us-that-ai-security-is-challenging/ CovertSwarm Technical Writeup: https://www.covertswarm.com/post/echoleak-copilot-exploit OWASP Top 10 for LLM Applications: https://owasp.org/www-project-top-10-for-large-language-model-applications/ The Hacker News: https://thehackernews.com/2025/06/zero-click-ai-vulnerability-exposes.html NVD Entry for CVE-2025-32711: https://nvd.nist.gov/vuln/detail/CVE-2025-32711 Microsoft Security Response Center Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-32711
Rescana is here for you
Rescana is committed to helping organizations navigate the rapidly evolving landscape of AI-driven cyber threats. Our Third-Party Risk Management (TPRM) platform empowers security teams to continuously assess, monitor, and mitigate risks across their digital supply chain and vendor ecosystem. We provide actionable intelligence, automated risk scoring, and deep visibility into emerging threats—enabling you to stay ahead of adversaries and regulatory requirements. For any questions, further guidance, or to discuss how Rescana can support your organization’s cybersecurity posture, please contact us at ops@rescana.com. We are always happy to assist.
