Skip to content
AID-2025-0002June 2025critical

Microsoft 365 Copilot Zero-Click Exfiltration via Prompt Injection (CVE-2025-32711)

A crafted email's hidden instructions tricked M365 Copilot into exfiltrating OneDrive, SharePoint, and Teams data to an attacker-controlled URL with no user click required.

Data exfiltrationDeny-by-defaultHigh-risk approval gate

What happened

Aim Security disclosed EchoLeak (CVSS 9.3), a zero-click vulnerability in Microsoft 365 Copilot. A crafted email carried hidden instructions that Copilot's RAG system pulled into context, causing the assistant to gather sensitive data from OneDrive, SharePoint, and Teams. The injected instructions then caused the assistant to exfiltrate the gathered data through auto-fetched images to an attacker-controlled host. The entire attack required no user interaction or click, and Microsoft later patched it server-side.

What the agent did

The AI assistant, upon receiving injected instructions hidden within an email, autonomously gathered data across multiple Microsoft 365 services (OneDrive, SharePoint, Teams) and exfiltrated the data by fetching an attacker-controlled image URL, transmitting sensitive corporate information to an external adversary.

The irreversible effect

Sensitive corporate data was exfiltrated from multiple Microsoft 365 services to an attacker-controlled server before the vulnerability was patched, resulting in potential breach of OneDrive files, SharePoint documents, and Teams data without any user awareness, approval, or audit trail.

Root cause

Without deny-by-default access controls enforcing segregation of duties, the Copilot assistant had both overly broad read access across data stores and an unrestricted outbound channel (net.fetch to external URLs). No approval gate was required for data-bearing egress operations, allowing the agent to unilaterally exfiltrate data once compromised by prompt injection, with no human review or authorization mechanism in place.

How a maker-checker control would have refused it

MakerChecker would emit 'skill_not_granted' when the assistant attempts net.fetch (outbound fetch not granted to assistant role) or data-egress-send (egress capability not granted to assistant role). For any role holding an egress grant, MakerChecker would emit 'high_risk_requires_gate' since data-bearing sends are categorized as high-risk skills that categorically require a preceding human approval gate and cannot execute through a raw proxy call.

Runnable reproduction

This incident ships as a runnable scenario in the open-source repository. Point the enforcement engine at the policy and watch the action get refused, with the refusal written to a signed audit record.

examples/echoleak-m365-copilot-zero-click-exfiltration

View the reproduction on GitHub →

Accuracy and corrections

This entry describes a publicly reported incident and is compiled from the primary sources listed above. Where an account is a legal allegation rather than an established finding, the entry labels it as such. Summaries can still contain errors. If you can document a correction, email hello@makerchecker.ai and we will review and correct it, with the change noted, within 14 days.

See it for yourself

Reading is one thing. Watch it block an agent.

One command starts the demo: an agent stopped from signing off its own work, and the signed evidence file an inspector can check for themselves.

Designed against the rules your auditors already enforce.