What happened
Aim Security researchers Pavan Reddy and Aditya Sanjay Gujral disclosed CVE-2025-32711, labelled "EchoLeak" or "Copilot SearchLeak," in June 2025 - a zero-click indirect prompt injection vulnerability in Microsoft 365 Copilot across Word, Excel, PowerPoint, Outlook, and Teams. Microsoft's Security Response Center classified it as critical (CVSS 9.3), describing it as "AI command injection in M365 Copilot." A server-side patch was deployed in June 2025 as part of that month's Patch Tuesday update; no customer action is required. No confirmed in-the-wild exploitation has been reported.
Attack chain
An attacker sends a crafted email containing a hidden prompt payload - rendered invisible to users via techniques such as white-on-white text or HTML comments. When the target asks Copilot a question that causes it to retrieve that email through its RAG (retrieval-augmented generation) context, Copilot executes the attacker's embedded instructions, directing it to collect and exfiltrate sensitive material - including prior chat logs, OneDrive and SharePoint files, and Teams messages - to an attacker-controlled server. No user interaction beyond ordinary Copilot usage is required.
Bypass techniques
The researchers chained four distinct bypasses to make the attack work:
- •evading the XPIA (Cross-Prompt Injection Attempt) classifier by phrasing injected instructions as user-facing content without explicit AI references
- •circumventing link redaction using reference-style Markdown
- •exploiting auto-fetched images to establish an outbound data channel
- •abusing an allowlisted Microsoft Teams image proxy to escape Content Security Policy restrictions. The combination achieved full privilege escalation across LLM trust boundaries without user interaction
Practitioner implications
EchoLeak is significant as the first known prompt injection achieving concrete data exfiltration in a production AI system - not just a proof-of-concept. RAG pipelines that ingest user-owned content from shared environments (email, documents, collaboration platforms) inherit trust-boundary risk from every source retrieved. Aim Security's recommended mitigations include prompt partitioning, provenance-based access control, enhanced input/output filtering, and strict CSP rules that do not allow proxy-forwarded image requests. Tenants using M365 Copilot on the patched server-side infrastructure are protected; analogous bypass classes remain a concern for other RAG-enabled enterprise AI assistants.
What to watch
Adoption of provenance-based access control as a defense-in-depth standard; XPIA classifier improvements across vendors; and similar indirect prompt injection CVEs in other enterprise AI copilots that ingest shared organizational content.
Key Points
- 1CVE-2025-32711 (EchoLeak, CVSS 9.3) let attackers exfiltrate Copilot data via hidden email prompts with no user interaction.
- 2Aim Security chained four bypasses - XPIA classifier, link redaction, auto-fetched images, Teams CSP proxy - to execute the attack.
- 3RAG pipelines that ingest user-owned email and file content inherit trust-boundary risks applicable to any enterprise AI copilot.
Scoring Rationale
CVE-2025-32711 (EchoLeak) represents the first known zero-click prompt injection achieving concrete data exfiltration in a production LLM system (CVSS 9.3, critical), with high practitioner relevance for enterprise AI security and RAG deployment risk. Microsoft's server-side June 2025 patch and absence of confirmed in-the-wild exploitation moderate immediate urgency, and this is now a year-old patched vulnerability surfacing via a forum discussion rather than fresh advisory coverage - landing at 7.2 rather than the upper notable range.
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems
