Microsoft patched a “zero-click” flaw in its Microsoft 365 Copilot retrieval-augmented technology (RAG) instrument that would have allowed for exfiltration of delicate information, in keeping with Purpose Safety.The vulnerability is tracked as CVE-2025-32711, which has a crucial CVSS rating of 9.3, Purpose Safety advised SC Media in an e mail. Microsoft stated in its disclosure that the AI command injection vulnerability has not been exploited within the wild and requires no additional consumer motion to resolve.The flaw, dubbed “EchoLeak,” would have allowed an attacker to extract probably delicate info from a consumer’s related Microsoft 365 companies, corresponding to their Outlook e mail, OneDrive storage, Workplace recordsdata, SharePoint websites and Microsoft Groups chat historical past, by sending a specifically crafted e mail that bypasses a number of safety measures, Purpose Safety defined.“The EchoLeak discovery by Purpose Labs exposes a crucial shift in cybersecurity threat, highlighting how even well-guarded AI brokers like Microsoft 365 Copilot may be weaponized by means of what Purpose Labs appropriately phrases an ‘LLM Scope Violation,’” SOCRadar Ensar Seker stated in an e mail to SC Media.The proof-of-concept exploit chain developed by Purpose Safety begins by bypassing Copilot’s cross-prompt injection assault (XPIA) classifiers by addressing the directions within the e mail to the receiver fairly than the focused giant language mannequin (LLM).The attackers would then must get previous Copilot’s hyperlink redaction characteristic, which prevents exterior markdown hyperlinks from showing within the Copilot chat. The researchers found that hyperlinks marked as references (i.e. [ref] in markdown) are usually not redacted, permitting them to be output by the chatbot.Relatively than tricking a consumer into clicking the hyperlink, the attacker may leverage an exterior markdown picture to set off an automatic GET request for the picture. Nonetheless, the content material safety coverage (CSP) for picture embeds on the Microsoft 365 Copilot webpage solely permits photographs from a set checklist of domains associated to Microsoft companies.The researchers found this might be bypassed leveraging a selected Microsoft Groups URL format that enables the attacker’s exterior URL to be accessed by way of the “/urlp/v1/url/content material” endpoint.As talked about in a current remark by a Microsoft worker on the Groups Developer Tech Neighborhood web page, “Microsoft Groups’ hyperlink unfurling makes use of a proxy service (/urlp/v1/url/content material) to retrieve and cache exterior photographs.”An attacker may abuse this hyperlink preview characteristic to trigger Copilot to contact the attacker’s web site whereas bypassing the CPS guardrail by way of the trusted Groups area. By sending the sufferer an e mail that covertly instructs Copilot to append delicate M365 information to the tip of the picture URL as question string parameters, this information is transmitted to the attacker’s exterior server by way of the GET request for the picture.Whereas the assault doesn’t rely on the sufferer to click on on a malicious hyperlink, a video on EchoLeak revealed by Purpose Safety demonstrates the sufferer sending Copilot a message referencing a topic talked about within the attacker’s e mail, which triggers the markdown picture output.Purpose Safety famous the attacker can enhance the probability that the malicious e mail will probably be referenced by Copilot by both sending many emails referencing completely different matters related to the sufferer, or by sending a single lengthy e mail separated into chunks that cowl a variety of related matters (ex. worker onboarding, human sources FAQ, go away of absence administration and so on.).“What stands out particularly is that this isn’t restricted to Copilot. As Purpose Labs warns, any RAG-based agent that processes untrusted inputs alongside inner information is weak to scope violations,” Seker famous. “This indicators a broader architectural flaw throughout the AI assistant area – one which calls for runtime guardrails, stricter enter scoping, and rigid separation between trusted and untrusted content material.”Seker recommends organizations defend towards comparable assaults by disabling exterior e mail ingestion by RAG instruments like Copilot, imposing information loss prevention (DLP) tags to flag requests involving delicate info, and making use of prompt-level filters that may block suspicious hyperlinks and structured outputs.
