Hackers could make Copilot leak your data—just by an email
What's the story
Researchers have discovered a critical security flaw in Microsoft Copilot, an artificial intelligence (AI) agent integrated into Office apps like Word, Excel, Outlook, and Teams.
The vulnerability was dubbed "EchoLeak" and allowed hackers to steal sensitive data from a user's environment through an email.
No clicks or user actions were required for this attack.
Attack details
How the EchoLeak attack worked
The EchoLeak attack exploited how Microsoft 365 Copilot processes information from emails and documents when answering user queries.
An attacker would send a seemingly normal business email containing hidden instructions for the AI assistant.
When the user later asked a related question, Copilot would retrieve the earlier email thinking it was relevant to the query, activating these hidden instructions that silently directed it to extract internal data.
Evasion tactics
Data could be exfiltrated without any user interaction
The hidden instructions would then be used to extract internal data and place it in a link or image.
When the email was displayed, the embedded link would automatically be accessed by the browser, sending internal data to the attacker's server without the user realizing anything was wrong.
Although Microsoft uses Content Security Policies (CSP) to block requests to unknown websites, services like Microsoft Teams and SharePoint are trusted by default, allowing attackers to bypass certain defenses.
New threat
Introduction to LLM scope violations
EchoLeak isn't just a software bug; it introduces a new class of threats known as Large Language Model (LLM) Scope Violations.
These refer to flaws in how large language models handle and leak information without direct user instruction.
Aim Labs, the team that discovered this vulnerability, warned that such flaws are particularly dangerous in enterprise environments where AI agents are deeply integrated into internal systems.
Company response
Microsoft has released a fix for the vulnerability
Microsoft has labeled the EchoLeak vulnerability as critical, assigned it CVE-2025-32711, and released a server-side fix in May.
The company assured customers that no exploit had taken place and that the issue is now resolved.
"The increasing complexity and deeper integration of LLM applications into business workflows are already overwhelming traditional defenses," Aim Labs's report warned.