{"slug": "echoleak-exposes-data-via-microsoft-365-copilot", "title": "EchoLeak exposes data via Microsoft 365 Copilot", "summary": "Aim Security researchers disclosed CVE-2025-32711, a critical zero-click indirect prompt injection vulnerability in Microsoft 365 Copilot that allows attackers to exfiltrate sensitive data via crafted emails. Microsoft patched the flaw server-side in June 2025 with no customer action required.", "body_md": "CVE-2025-32711, dubbed 'EchoLeak' or 'Copilot SearchLeak,' is a zero-click indirect prompt injection vulnerability in Microsoft 365 Copilot disclosed by Aim Security researchers Pavan Reddy and Aditya Sanjay Gujral in June 2025. Rated critical (CVSS 9.3) by Microsoft, the flaw affects Copilot integrations across Word, Excel, PowerPoint, Outlook, and Teams. The attack embeds hidden prompts in a crafted email; when Copilot retrieves that email via its RAG context, it executes attacker-controlled instructions and exfiltrates sensitive data - chat logs, OneDrive files, SharePoint content, or Teams messages - to an attacker server, with no user interaction required. The exploit bypasses Microsoft's XPIA (Cross-Prompt Injection Attempt) classifier, link redaction, and Content Security Policy via an allowlisted Teams image proxy. Microsoft issued a server-side patch in June 2025 and confirmed no customer action is required and no known in-the-wild exploitation. Aim Security published a full academic case study at the AAAI Fall Symposium 2025.", "url": "https://wpnews.pro/news/echoleak-exposes-data-via-microsoft-365-copilot", "canonical_source": "https://letsdatascience.com/news/echoleak-exposes-data-via-microsoft-365-copilot-1fd222bf", "published_at": "2026-06-26 23:15:43+00:00", "updated_at": "2026-06-27 00:08:50.335663+00:00", "lang": "en", "topics": ["ai-safety", "large-language-models", "ai-products", "ai-infrastructure"], "entities": ["Microsoft", "Aim Security", "Pavan Reddy", "Aditya Sanjay Gujral", "Microsoft 365 Copilot", "Word", "Excel", "Outlook"], "alternates": {"html": "https://wpnews.pro/news/echoleak-exposes-data-via-microsoft-365-copilot", "markdown": "https://wpnews.pro/news/echoleak-exposes-data-via-microsoft-365-copilot.md", "text": "https://wpnews.pro/news/echoleak-exposes-data-via-microsoft-365-copilot.txt", "jsonld": "https://wpnews.pro/news/echoleak-exposes-data-via-microsoft-365-copilot.jsonld"}}