Microsoft Copilot Flaw Could Have Let Hackers Steal Data with a Single Email

A critical zero-click vulnerability in Microsoft’s Copilot AI assistant could have allowed attackers to exfiltrate sensitive organisational data—without users clicking a thing.

 

Dubbed EchoLeak and tracked as CVE-2025-32711, the flaw is believed to be the first-ever zero-click exploit targeting an AI agent. Researchers at Aim Security, who discovered the issue, say it posed a serious threat to Microsoft 365 users by enabling attackers to hijack Copilot using only a well-crafted email.

 

“This vulnerability demonstrates how attackers can automatically extract the most sensitive information from Microsoft 365 Copilot without any user interaction,” said Adir Gruss, CTO of Aim Security.

 

The flaw exploited a so-called “LLM scope violation,” where malicious input from outside an organisation could trick the AI into accessing privileged content. At risk were OneDrive files, SharePoint documents, Teams chats, and historical Copilot interactions—essentially anything within the AI’s scope.

 

According to Aim Security, the vulnerability existed in Copilot’s default settings, potentially placing most customers at risk until a recent fix was deployed. However, there’s currently no evidence the flaw was exploited in the wild.

 

Microsoft thanked Aim for its responsible disclosure and confirmed the vulnerability has been fully mitigated, with no user action required. It also announced the rollout of broader “defence-in-depth” protections to strengthen AI security.

 

Jeff Pollard, VP at Forrester, said the discovery highlights long-standing concerns about the emerging risks of AI agents in enterprise environments.

 

As Copilot and other AI tools become embedded in business systems, security researchers warn that “silent” attacks like EchoLeak could become more common—and more dangerous.