Terrifying AI Vulnerability 'EchoLeak' Discovered: Microsoft 365 Copilot Hacked
[HPP] Simon WillisonJune 12, 202525 min
33 connections·40 entities in this video→Understanding EchoLeak: A Critical AI Vulnerability
- 💡 EchoLeak is the first weaponizable, zero-click AI vulnerability discovered by Aim Labs, requiring no user interaction.
- 🎯 It allows attackers to automatically exfiltrate sensitive data from Microsoft 365 Copilot, including chat history, OneDrive, SharePoint, and Teams conversations.
- 🔑 Microsoft assigned a critical CVE rating (CVE-2025-32711) to this flaw, confirming its severe impact.
How the Attack Works
- 🧠 A single malicious email containing hidden prompt injection instructions triggers the attack without the user opening it.
- ⚡ The vulnerability exploits a fundamental design flaw in LLMs, which cannot distinguish between trusted internal data and malicious external instructions once processed.
- 🔬 This is termed "LLM Scope Violation," where untrusted inputs gain access to privileged organizational data, bypassing existing safeguards.
- ⚠️ Attackers used techniques like RAG spraying and disguised instructions to bypass Microsoft's XPIA classifiers and automated detection systems.
Broader Implications for AI Security
- 📈 EchoLeak highlights that current AI security frameworks are fundamentally inadequate for novel attack patterns.
- 🌐 This architectural vulnerability affects all RAG-based AI systems, not just Microsoft, posing risks to other AI agents like Anthropic and ChatGPT.
- 🚨 The incident reveals that AI systems, designed to break down information silos, also break down traditional security boundaries, making every email and document a potential attack vector.
Recommendations for Organizations
- ✅ Organizations using AI agents that process external inputs should assume they are vulnerable and implement AI-specific security measures.
- 🛠️ This includes granular input scoping, post-processing output filters, and independent security assessments of AI implementations.
- ⚠️ Relying solely on AI vendor security assurances is insufficient, necessitating internal audits to identify and mitigate prompt injection risks.
Knowledge graph40 entities · 33 connections
How they connect
An interactive map of every person, idea, and reference from this conversation. Hover to trace connections, click to explore.
Hover · drag to explore
40 entities
Chapters13 moments
Key Moments
Transcript96 segments
Full Transcript
Topics15 themes
What’s Discussed
EchoLeakAI vulnerabilityZero-click attackMicrosoft 365 CopilotPrompt injectionData exfiltrationLLM Scope ViolationRAG systemsCVE-2025-32711AI agentsEnterprise securitySQL injectionXPIASecurity frameworksPrinciple of Least Privilege
Smart Objects40 · 33 links
Concepts· 18
Companies· 10
Products· 6
People· 3
Medias· 3