Researchers discover zero-click vulnerability in Microsoft Copilot

Researchers have said that Microsoft Copilot had a critical zero-click AI vulnerability that was fixed before hackers stole sensitive data. Called ‘EchoLeak,’ the attack was mounted by Aim Labs researchers in January this year and then reported to Microsoft later. 

In a blog posted by the research team, they said that EchoLeak was the first zero-click attack on an AI agent and could hack remotely via an email. 

The vulnerability was given the identifier CVE-2025-32711 and rated critical and fixed eventually in May.

The researchers have categorised EchoLeak under a new class of vulnerabilities called ‘LLM Scope Violation,’ which can lead a large language model to leak internal data without any interaction with the hacker.

Although Microsoft acknowledged the security flow, it confirmed that there had been no instance of exploitation which had impacted users.

Users receive an email that’s been designed to look like a business document embedded with a hidden prompt injection that instructs the LLM to extract and exfiltrate sensitive data. When the user asks Copilot a query the email is retrieved into the LLM prompt by Retrieval-Augmented Generation or RAG.