2025-06
Prompt Injection
Microsoft

EchoLeak: zero-click prompt-injection exfiltration in Microsoft 365 Copilot

What happened

CVE-2025-32711 (CVSS 9.3), dubbed EchoLeak, was the first publicly documented zero-click attack on a production AI agent. An attacker emails a victim a message containing hidden prompt instructions; when Copilot's RAG engine later retrieves that email as context, the injected instructions cause Copilot to exfiltrate data from its scope — email, OneDrive, SharePoint, Teams — via crafted links and images, with no user interaction.

Impact

Any M365 Copilot tenant's organizational data was exfiltratable until Microsoft shipped a server-side fix in June 2025; no in-the-wild exploitation was reported.

How this could have been prevented

Strict trust boundaries between retrieved untrusted content and instructions, plus egress filtering of agent-generated links and images, mitigate LLM scope-violation attacks.

Sources

More prompt injection incidents

Would runtime governance have caught this?

Guardion enforces policy on every agent action inline — with visibility, tamper-evident evidence, and DLP for agents and MCPs.

Request a demo