Critical Zero-Click Vulnerability in Microsoft Copilot Could Have Exposed Sensitive Data
Researchers at Aim Security disclosed a critical zero-click vulnerability in Microsoft’s Copilot AI tool, identified as CVE-2025-32711 and dubbed EchoLeak, which could have allowed attackers to steal sensitive organizational data without any user interaction. The flaw, the first known zero-click exploit targeting an AI agent, was patched by Microsoft following coordinated disclosure.
The vulnerability stemmed from an "LLM scope violation", where untrusted external input could manipulate Copilot into accessing and exfiltrating privileged data. At risk were files and communications within Microsoft 365, including chat histories, OneDrive documents, SharePoint content, Teams conversations, and preloaded organizational data. While most organizations were exposed under Copilot’s default configuration, there is no evidence the flaw was exploited in the wild.
Microsoft addressed the issue in a recent update, stating that no further customer action is required. The company also implemented additional defense-in-depth measures to bolster security. Aim Security’s CTO, Adir Gruss, emphasized the significance of the discovery, noting that it demonstrated how attackers could automatically extract sensitive information without user engagement.
Forrester analyst Jeff Pollard highlighted the broader security risks of AI agents, warning that their access to email, scheduling, and other functions makes them prime targets for exploitation. Microsoft acknowledged the research, confirming the vulnerability was resolved before any customer impact occurred.
Source: https://www.cybersecuritydive.com/news/flaw-microsoft-copilot-zero-click-attack/750456/
AIVENTU | Microsoft Partner cybersecurity rating report: https://www.rankiteo.com/company/aiventu
"id": "AIV1765250761",
"linkid": "aiventu",
"type": "Vulnerability",
"date": "6/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Most organizations using '
'Microsoft 365 Copilot (default '
'configuration)',
'industry': 'Software & Cloud Services',
'location': 'Global',
'name': 'Microsoft',
'size': 'Enterprise',
'type': 'Technology Company'}],
'attack_vector': 'Zero-click email-based attack',
'data_breach': {'data_exfiltration': 'Possible (via zero-click attack)',
'personally_identifiable_information': 'Potential (if '
'included in '
'compromised data)',
'sensitivity_of_data': 'High (privileged and sensitive '
'business data)',
'type_of_data_compromised': 'Chat histories, documents, '
'conversations, organizational '
'data'},
'date_publicly_disclosed': '2025-06-11',
'date_resolved': '2025-06-11',
'description': 'A recently fixed critical vulnerability in Microsoft’s '
'Copilot AI tool could have let a remote attacker steal '
'sensitive data from an organization simply by sending an '
'email. The vulnerability, dubbed EchoLeak (CVE-2025-32711), '
'represents the first known zero-click attack on an AI agent, '
'allowing hackers to exfiltrate sensitive information without '
"user interaction by exploiting an 'LLM scope violation.'",
'impact': {'data_compromised': 'Chat histories, OneDrive documents, '
'SharePoint content, Teams conversations, '
'preloaded organizational data',
'identity_theft_risk': 'High (if PII was exposed)',
'systems_affected': 'Microsoft 365 Copilot'},
'investigation_status': 'Resolved',
'lessons_learned': 'AI agents like Microsoft Copilot can be exploited via '
'zero-click attacks, highlighting the need for robust '
'security measures in AI integrations. Default '
'configurations may leave organizations vulnerable.',
'post_incident_analysis': {'corrective_actions': 'Microsoft patched the '
'vulnerability and '
'implemented additional '
'security measures to '
'prevent similar issues.',
'root_causes': 'LLM scope violation allowing '
'untrusted input to access '
'privileged data'},
'recommendations': 'Organizations should review AI tool configurations, '
'implement defense-in-depth security measures, and monitor '
'for unusual AI agent behavior. Vendors should proactively '
'test for LLM scope violations and similar '
'vulnerabilities.',
'references': [{'date_accessed': '2025-06-11',
'source': 'Aim Security Blog Post'},
{'date_accessed': '2025-06-11', 'source': 'Microsoft Advisory'},
{'date_accessed': '2025-06-11',
'source': 'Cybersecurity Dive'}],
'response': {'communication_strategy': 'Microsoft issued an advisory stating '
'no further action was necessary by '
'customers',
'containment_measures': 'Microsoft released patches and '
'mitigations',
'remediation_measures': 'Microsoft updated products to mitigate '
'the issue and implemented '
'defense-in-depth measures',
'third_party_assistance': 'Aim Security (researchers)'},
'stakeholder_advisories': 'Microsoft advised customers that no further action '
'was necessary after the patch was applied.',
'title': 'EchoLeak: Zero-Click Vulnerability in Microsoft Copilot AI Tool',
'type': 'Data Breach Vulnerability',
'vulnerability_exploited': 'LLM scope violation (CVE-2025-32711)'}