Microsoft 365 Copilot Faces ‘EchoLeak’, a Critical AI Security Breach
Security Alert: A critical vulnerability in Microsoft 365 Copilot has been disclosed by cybersecurity researchers. This flaw could have potentially allowed hackers to steal sensitive data through a “zero-click” attack. This marks the first known vulnerability of this type targeting an AI agent system.
The flaw, designated as CVE-2025-32711 and dubbed as “EchoLeak” by the researchers at Aim Security, carried a CVSS severity score of 9.3. This vulnerability enabled attackers to exfiltrate confidential information without any required user interaction.
- Chat logs
- OneDrive files
- SharePoint content
- Teams messages
The attack exploited what researchers called an “LLM Scope Violation”. This is where external untrusted input could manipulate the AI model to access and leak confidential data.
Microsoft has confirmed that the issue has been fully resolved and requires no customer action. “We appreciate Aim Labs for identifying and responsibly reporting this issue so it could be addressed before our customers were impacted,” a Microsoft spokesperson stated.
Source: Fortune