Skip to content
AID-2025-0002June 2025critical

Microsoft 365 Copilot Zero-Click Exfiltration via Prompt Injection (CVE-2025-32711)

Researchers demonstrated a zero-click proof-of-concept in which a crafted email's hidden instructions could make M365 Copilot exfiltrate OneDrive, SharePoint, and Teams data to an attacker-controlled URL with no user click required. Microsoft fixed it server-side before disclosure.

Data exfiltrationDeny-by-defaultHigh-risk approval gate

What happened

Aim Security researchers demonstrated EchoLeak (CVE-2025-32711, CVSS 9.3), a zero-click proof-of-concept vulnerability in Microsoft 365 Copilot. In their demonstration, a crafted email carried hidden instructions that Copilot's RAG system pulled into context, causing the assistant to gather data from OneDrive, SharePoint, and Teams within Copilot's access scope. The injected instructions then caused the assistant to exfiltrate the gathered data through auto-fetched images to an attacker-controlled host, bypassing Microsoft's cross-prompt-injection classifier, link redaction, and Content Security Policy via an allowlisted Teams image proxy. The technique required no user interaction or click. Aim Security reported it to Microsoft, which patched it server-side before public disclosure on June 11, 2025 and stated no customer action was required. Microsoft reported no known in-the-wild exploitation.

What the agent did

In the researchers' proof-of-concept, the AI assistant, upon receiving injected instructions hidden within an email, gathered data across multiple Microsoft 365 services (OneDrive, SharePoint, Teams) within its access scope and exfiltrated that data by fetching an attacker-controlled image URL. This was demonstrated in a controlled test, not observed against real victims.

The irreversible effect

In the demonstration, data within Copilot's access scope could be exfiltrated to an attacker-controlled server through the auto-fetched image channel, with no user awareness, approval, or audit trail. Because Microsoft fixed the flaw server-side before disclosure and reported no in-the-wild exploitation, no confirmed real-world data loss resulted.

Root cause

Without deny-by-default access controls enforcing segregation of duties, the Copilot assistant had both overly broad read access across data stores and an unrestricted outbound channel (net.fetch to external URLs). No approval gate was required for data-bearing egress operations, allowing the agent to unilaterally exfiltrate data once compromised by prompt injection, with no human review or authorization mechanism in place.

How a maker-checker control would have refused it

MakerChecker would emit 'skill_not_granted' when the assistant attempts net.fetch (outbound fetch not granted to assistant role) or data-egress-send (egress capability not granted to assistant role). For any role holding an egress grant, MakerChecker would emit 'high_risk_requires_gate' since data-bearing sends are categorized as high-risk skills that categorically require a preceding human approval gate and cannot execute through a raw proxy call.

Runnable reproduction

This incident ships as a runnable scenario in the open-source repository. Point the enforcement engine at the policy and watch the action get refused, with the refusal written to a signed audit record.

examples/echoleak-m365-copilot-zero-click-exfiltration

View the reproduction on GitHub →

Accuracy and corrections

This entry describes a publicly reported incident and is compiled from the primary sources listed above. Where an account is a legal allegation rather than an established finding, the entry labels it as such. Summaries can still contain errors. If you can document a correction, email hello@makerchecker.ai and we will review and correct it, with the change noted, within 14 days.

See it for yourself

Reading is one thing. Watch it block an agent.

One command starts the demo: an agent stopped from signing off its own work, and the signed evidence file an inspector can check for themselves.

Designed against the rules your auditors already enforce.