Skip to main content

Terrifying AI Vulnerability 'EchoLeak' Discovered: Microsoft 365 Copilot Hacked

[HPP] Simon WillisonJune 12, 202525 min
33 connections·40 entities in this video

Understanding EchoLeak: A Critical AI Vulnerability

  • 💡 EchoLeak is the first weaponizable, zero-click AI vulnerability discovered by Aim Labs, requiring no user interaction.
  • 🎯 It allows attackers to automatically exfiltrate sensitive data from Microsoft 365 Copilot, including chat history, OneDrive, SharePoint, and Teams conversations.
  • 🔑 Microsoft assigned a critical CVE rating (CVE-2025-32711) to this flaw, confirming its severe impact.

How the Attack Works

  • 🧠 A single malicious email containing hidden prompt injection instructions triggers the attack without the user opening it.
  • ⚡ The vulnerability exploits a fundamental design flaw in LLMs, which cannot distinguish between trusted internal data and malicious external instructions once processed.
  • 🔬 This is termed "LLM Scope Violation," where untrusted inputs gain access to privileged organizational data, bypassing existing safeguards.
  • ⚠️ Attackers used techniques like RAG spraying and disguised instructions to bypass Microsoft's XPIA classifiers and automated detection systems.

Broader Implications for AI Security

  • 📈 EchoLeak highlights that current AI security frameworks are fundamentally inadequate for novel attack patterns.
  • 🌐 This architectural vulnerability affects all RAG-based AI systems, not just Microsoft, posing risks to other AI agents like Anthropic and ChatGPT.
  • 🚨 The incident reveals that AI systems, designed to break down information silos, also break down traditional security boundaries, making every email and document a potential attack vector.

Recommendations for Organizations

  • ✅ Organizations using AI agents that process external inputs should assume they are vulnerable and implement AI-specific security measures.
  • 🛠️ This includes granular input scoping, post-processing output filters, and independent security assessments of AI implementations.
  • ⚠️ Relying solely on AI vendor security assurances is insufficient, necessitating internal audits to identify and mitigate prompt injection risks.
Knowledge graph40 entities · 33 connections

How they connect

An interactive map of every person, idea, and reference from this conversation. Hover to trace connections, click to explore.

Hover · drag to explore
40 entities
Chapters13 moments

Key Moments

Transcript96 segments

Full Transcript

Topics15 themes

What’s Discussed

EchoLeakAI vulnerabilityZero-click attackMicrosoft 365 CopilotPrompt injectionData exfiltrationLLM Scope ViolationRAG systemsCVE-2025-32711AI agentsEnterprise securitySQL injectionXPIASecurity frameworksPrinciple of Least Privilege
Smart Objects40 · 33 links
Concepts· 18
Companies· 10
Products· 6
People· 3
Medias· 3