First Known Zero-Click AI Exploit: Microsoft 365 Copilot’s ‘EchoLeak’ Flaw
techrepublic.com
Security researchers uncovered “EchoLeak,” a zero-click flaw in Microsoft 365 Copilot, exposing sensitive data without user action. Microsoft has mitigated the vulnerability.
Security researchers at AIM Security have revealed a serious zero-click vulnerability dubbed “EchoLeak.” The flaw targets the AI-powered Microsoft 365 Copilot, allowing cybercriminals to exfiltrate private data from a user’s organizational environment by simply sending a carefully created email.
In a report published this week, AIM Security stated this is the first known “zero-click” AI exploit affecting a major application like Microsoft 365 Copilot, meaning users don’t need to take any action for the attack to be successful.
“The chains allow attackers to automatically exfiltrate sensitive and proprietary information from M365 Copilot context, without the user’s awareness, or relying on any specific victim behavior,” AIM Security explained.
This is made possible by what researchers call a “LLM Scope Violation.” In simpler terms, the flaw tricks ...
Copyright of this story solely belongs to techrepublic.com . To see the full text click HERE