0-Click Vulnerability in Microsoft 365 Copilot Exposes Sensitive Data via Teams

Security researchers have uncovered the first-ever zero-click vulnerability in an AI agent, targeting Microsoft 365 Copilot and potentially exposing sensitive organizational data through a sophisticated attack chain dubbed “EchoLeak.”

The critical flaw, assigned CVE-2025-32711 with a CVSS score of 9.3, represents a groundbreaking discovery in AI security that required no user interaction to execute.

Discovered by Aim Security in January 2025 and disclosed after Microsoft’s fix in May, EchoLeak demonstrates how attackers can automatically exfiltrate sensitive information from Microsoft 365 environments simply by sending a crafted email.

The vulnerability affects Microsoft 365 Copilot’s Retrieval-Augmented Generation (RAG) system, which processes organizational data, including emails, OneDrive documents, SharePoint content, and Teams conversations.

The EchoLeak attack chain exploits what researchers term an “LLM Scope Violation,” where untrusted external input manipulates the AI model to access privileged internal data.

The attack begins with bypassing ...