Microsoft has silently patched a maximum-criticality vulnerability in its Microsoft 365 Copilot platform. The flaw, tracked as CVE-2025-32711 and codenamed EchoLeak, carried a CVSS severity score of 9.3 out of 10.
Discovered by security firm Aim Security, the attack required zero user clicks. A malicious actor could send a carefully crafted message that, when processed by the Copilot AI, triggered the automatic exfiltration of organizational data. This included emails, documents, and two-factor authentication codes. The exploit bypassed Microsoft's existing defenses, including prompt injection classifiers.
Aim Security responsibly disclosed the issue in January 2025. Microsoft deployed server-side fixes by May, confirming it found no evidence of active exploitation. The zero-click nature presented a severe enterprise risk, creating an attack surface that required only the receipt of an email.
The fundamental architecture of large language models makes separating trusted instructions from untrusted data extremely difficult. This vulnerability underscores the growing risks as AI agents are rapidly integrated into automated and financial systems, including crypto and Web3 infrastructure, where prompt injection could lead to direct, irreversible financial loss.