‘EchoLeak’ AI Attack Enabled Theft of Sensitive Data via Microsoft 365 Copilot
securityweek
Microsoft 365 Copilot was until recently vulnerable to an attack method that could have been leveraged by threat actors to obtain sensitive information, AI security firm Aim Security reported on Wednesday.
The zero-click attack, dubbed EchoLeak and involving a vulnerability tracked as CVE-2025-32711, enabled attackers to get Copilot to automatically exfiltrate potentially valuable information from a targeted user or organization without requiring user interaction.
Microsoft on Wednesday published an advisory for the vulnerability, which it described as ‘AI command injection in M365 Copilot’ and classified as ‘critical’, but informed customers that a patch has been implemented on the server side and no customer action is required.
The Microsoft 365 Copilot is a productivity assistant designed to enhance the way users interact with applications such as Word, PowerPoint and Outlook. Copilot can query emails, extracting and managing information from the user’s inbox.
The EchoLeak attack involves sending a specially crafted ...
Copyright of this story solely belongs to securityweek . To see the full text click HERE