{"slug": "microsoft-patches-critical-vulnerability-in-m365-copilot-that-allowed-silent", "title": "Microsoft patches critical vulnerability in M365 Copilot that allowed silent data theft", "summary": "Microsoft patched a critical vulnerability in M365 Copilot, tracked as CVE-2025-32711 and dubbed EchoLeak, that allowed attackers to steal sensitive data including 2FA codes via a single malicious email without user interaction. Discovered by Aim Security and disclosed in January 2025, the server-side fix was deployed by May 2025 with no known exploitation before the patch. The flaw highlights ongoing prompt injection risks in AI systems, with implications for crypto and Web3 integrations.", "body_md": "# Microsoft patches critical vulnerability in M365 Copilot that allowed silent data theft\n\nA single malicious email could exfiltrate 2FA codes, documents, and chat histories from Microsoft 365 Copilot without any user interaction.\n\nMicrosoft quietly fixed a vulnerability rated maximum critical in its M365 Copilot AI platform last Tuesday. The flaw, discovered by security firm Aim Security, allowed attackers to steal sensitive data, including two-factor authentication codes, from emails accessible to Copilot using nothing more than a single carefully crafted message.\n\nThe vulnerability, tracked as CVE-2025-32711 and dubbed “EchoLeak,” carried a CVSS severity score of 9.3 out of 10.\n\n## How EchoLeak worked\n\nThe attack required zero clicks from the victim. An attacker could send a malicious email that, when processed by Copilot, would trick the AI into exfiltrating organizational data: emails, documents, chat histories, the works. The proof-of-concept exploit demonstrated by Aim Security showed automatic data theft triggered simply by Copilot summarizing or interacting with the poisoned message.\n\nThe attack bypassed Microsoft’s existing defenses, including cross-prompt injection classifiers and external link redactions.\n\nAim Security discovered and responsibly disclosed the vulnerability to Microsoft in January 2025. Microsoft deployed server-side fixes by May 2025, meaning no customer action was required. The company confirmed it had no awareness of any affected customers or malicious exploitation before the patch was applied.\n\nPublic disclosure of the vulnerability began emerging around June 11-12, with the researchers revealing their proof-of-concept exploit on Monday.\n\n## A recurring pattern in AI security\n\nThe fundamental architecture of LLMs, which process all text in a unified context window, makes it extraordinarily difficult to enforce a security boundary between trusted instructions and untrusted data. Microsoft 365 Copilot integrates large language models with enterprise data sources through Retrieval-Augmented Generation (RAG), and the EchoLeak vulnerability demonstrated how attacker-controlled content in a user’s mailbox could manipulate Copilot into unauthorized disclosures without any user action.\n\nThe zero-click nature of the attack makes it particularly concerning for enterprise environments. Organizations deploying M365 Copilot across thousands of employees were potentially exposed without any single user needing to make a mistake. The attack surface was simply “receiving an email.”\n\n## What this means for crypto and Web3\n\nThe crypto industry has been rapidly integrating AI agents into its infrastructure. On-chain AI agents, automated trading bots, AI-powered wallet interfaces, and large language model integrations for DeFi protocols are proliferating. Every one of these implementations faces the same fundamental prompt injection problem that EchoLeak exploited.\n\nIf an AI agent managing on-chain transactions can be tricked into following malicious instructions embedded in data it processes, the consequences extend beyond data exfiltration to direct financial loss, including the ability to move funds, sign transactions, or interact with smart contracts.\n\nIn crypto, where code is often open source and transactions are irreversible, the window between discovery and exploitation tends to be much narrower than in enterprise environments where responsible disclosure and rapid patching contained EchoLeak’s impact.\n\n**Disclosure:** This article was edited by Editorial Team. For more information on how we create and review content, see our\n\n[Editorial Policy](https://cryptobriefing.com/editorial-policy/).", "url": "https://wpnews.pro/news/microsoft-patches-critical-vulnerability-in-m365-copilot-that-allowed-silent", "canonical_source": "https://cryptobriefing.com/microsoft-patches-critical-m365-copilot-vulnerability/", "published_at": "2026-06-16 11:22:38+00:00", "updated_at": "2026-06-16 11:50:28.265645+00:00", "lang": "en", "topics": ["ai-safety", "large-language-models", "ai-products", "ai-infrastructure", "ai-ethics"], "entities": ["Microsoft", "M365 Copilot", "Aim Security", "CVE-2025-32711", "EchoLeak"], "alternates": {"html": "https://wpnews.pro/news/microsoft-patches-critical-vulnerability-in-m365-copilot-that-allowed-silent", "markdown": "https://wpnews.pro/news/microsoft-patches-critical-vulnerability-in-m365-copilot-that-allowed-silent.md", "text": "https://wpnews.pro/news/microsoft-patches-critical-vulnerability-in-m365-copilot-that-allowed-silent.txt", "jsonld": "https://wpnews.pro/news/microsoft-patches-critical-vulnerability-in-m365-copilot-that-allowed-silent.jsonld"}}