Breachwire.riscent

Breach report

EchoLeak: the first zero-click data theft from a production AI assistant

AI & LLM BreachesCritical (CVSS 9.3)CVE-2025-327112025-06
The bottom lineA single crafted email with hidden instructions made Microsoft 365 Copilot exfiltrate a user's data with zero clicks — the first real-world zero-click prompt-injection data theft in a production AI assistant.
Category
AI & LLM Breaches
Type
CVE · Named incident (Microsoft 365 Copilot)
Date
2025-06
Severity
Critical (CVSS 9.3)
OWASP
LLM01 Prompt Injection; LLM05 Improper Output Handling
CWE / CVE
CWE-77 CVE-2025-32711

What happened

Microsoft 365 Copilot is an AI assistant wired into a user's email, Teams chats, SharePoint, and OneDrive. Researchers at Aim Labs disclosed a vulnerability, tracked as CVE-2025-32711 and nicknamed EchoLeak, that turned that reach into an exfiltration channel — with no action required from the victim.

The attack began with an ordinary-looking email containing instructions hidden from the human reader (for example, text styled to be invisible or placed in markup the user never sees). The victim never clicked a link or opened an attachment. Later, when the user asked Copilot a normal work question, Copilot's retrieval step pulled the malicious email into the model's context. The model followed the hidden instructions and composed a response that referenced an image whose URL pointed at an attacker-controlled server. The browser automatically fetched that image — and in doing so, silently sent sensitive context out of the tenant. Microsoft remediated the issue server-side.

Root cause

Two failures stacked, one per OWASP LLM category:

  • LLM01 Prompt Injection (indirect). The model could not reliably separate trusted instructions from untrusted content that arrived through retrieval. Once the attacker's email was in context, its hidden text was treated as if it were a legitimate instruction — the same trust-boundary failure that SQL injection represents for databases.
  • LLM05 Improper Output Handling. The output layer permitted a model-authored URL (an auto-fetching image) to reach an arbitrary external host, providing the channel that carried the data out.

How it would have been caught

An AI red-team run — using a tool such as Garak, PyRIT, or Promptfoo — with an indirect-injection-through-retrieved-content probe would have surfaced the behavior before release. So would an output classifier that flags model-generated URLs or images pointing at non-allowlisted hosts. The reproduction is straightforward: place a hidden-instruction document into the retrieval corpus, ask a benign question, and watch for any outbound request to an attacker host.

How to prevent it

  • Deliver retrieved and untrusted content to the model only inside tool_result blocks, JSON-encoded and labelled by source, so the model treats it with skepticism.
  • Screen tool outputs with a lightweight classifier before the agent acts on them.
  • Close the exfiltration channel: strip or deny model-emitted images and links to non-allowlisted domains, and never auto-fetch a URL the model authored.

The Breachwire test (red → green)

Inject a hidden-instruction document into the RAG corpus and confirm the exploit fires (data leaves to an attacker host) — the RED control that proves the vector is real. Apply the containment above, then confirm the same payload no longer exfiltrates, while a benign query still returns a correct, cited answer (the positive control that stops a deny-everything "fix" from faking success).