Threat Intelligence Report: EchoLeak, the First Zero-Click AI Exploit (CVE-2025-32711)

CISO Executive Summary #

Overview #

EchoLeak, tracked as CVE-2025-32711, is the first publicly documented zero-click prompt injection against a production large language model. Disclosed by researchers at Aim Security in June 2025, it allowed a remote, unauthenticated attacker to exfiltrate sensitive organizational data from Microsoft 365 Copilot by sending the victim a single crafted email. No click, no attachment, and no user action were required. Microsoft assigned it a CVSS score of 9.3 and resolved it server-side, confirming no exploitation in the wild.

Impact #

EchoLeak matters less for its blast radius, which Microsoft contained through a server-side fix, and more for what it proved: prompt injection can be weaponized into concrete data theft inside a trusted enterprise AI assistant. Anything within Copilot’s access scope was reachable, including chat history, OneDrive files, SharePoint content, and Teams messages. Because the assistant acts with the user’s own permissions, the AI itself becomes the confused deputy that performs the exfiltration.

Mitigation #

1. Treat AI assistants as an attack surface: Inventory every place an LLM ingests untrusted external content (email, documents, web) and processes it with privileged access to internal data.
2. Constrain agent scope and egress: Limit the data an assistant can reach and the destinations it can send to; block or proxy automatic outbound fetches.
3. Apply data-loss controls to AI output paths: Monitor for sensitive data leaving through assistant-rendered content, links, and images.
4. Demand vendor transparency: Require AI vendors to disclose their prompt-injection defenses, trust boundaries, and incident processes.

Engineering Breakdown #

CVE Details #

• CVE ID: CVE-2025-32711
• Severity: Critical
• CVSS Score: 9.3
• Vector: Network (zero-click, no authentication)
• Class: Indirect prompt injection leading to data exfiltration

Description #

Retrieval-augmented assistants such as Microsoft 365 Copilot blend trusted instructions with untrusted content pulled from a user’s mailbox and documents. EchoLeak exploited the absence of a hard trust boundary between those two streams. An attacker emailed the victim text that, once retrieved into Copilot’s context, was interpreted as instructions rather than data, a classic indirect prompt injection, but chained into a working exfiltration primitive.

Technical Analysis #

According to Aim Security and the academic write-up, the exploit chained several bypasses:

1. Classifier evasion: The malicious email was phrased to evade Microsoft’s XPIA (Cross Prompt Injection Attempt) classifier.
2. Link redaction bypass: Reference-style Markdown was used to slip past link-stripping defenses.
3. Automatic image fetch: Markdown image syntax caused the client to auto-fetch a URL, carrying stolen data in the request.
4. CSP bypass: A Microsoft Teams proxy URL, allowed by the content security policy, was abused as the exfiltration channel.

The result was full privilege escalation across LLM trust boundaries with no user interaction, the property that makes it “zero-click.”

Why It Is a Watershed #

EchoLeak demonstrates that the OWASP Top 10 for LLM Applications risk of prompt injection is not theoretical. It also maps cleanly to MITRE ATLAS techniques for AI-enabled exfiltration. The lesson for defenders is structural: any system that mixes untrusted input with privileged action needs a trust boundary the model cannot talk its way across.

Sources #

• CVE-2025-32711 — NVD
• EchoLeak academic analysis — arXiv
• SOC Prime: CVE-2025-32711 zero-click AI vulnerability

Stay Vigilant