Overview
- Aim Security researchers discovered EchoLeak in January 2025, marking the first known zero-click attack on an AI agent.
- Microsoft rated the flaw critical, assigned it CVE-2025-32711, and applied a server-side fix in May without requiring any user action.
- EchoLeak exploits Copilot’s background email scanning and retrieval engine to inject hidden prompts that silently exfiltrate sensitive internal data.
- The vulnerability exemplifies a new class of threats called “LLM Scope Violations,” which could affect other AI agents beyond Microsoft 365 Copilot.
- Security experts recommend enterprises strengthen prompt injection defenses, enforce granular input scoping and post-processing filters, and pursue a fundamental redesign of AI agent architectures.