A recently uncovered vulnerability, dubbed ‘EchoLeak’, highlights the risks associated with AI technology in enterprise environments. This zero-click attack allows cybercriminals to extract sensitive data from Microsoft 365 Copilot without any user interaction, effectively marking a significant evolution in the landscape of cybersecurity threats.
Aim Labs researchers revealed that the flaw emerged earlier this year, receiving the identifier CVE-2025-32711 from Microsoft. Although rated critical, the company confirmed that no customers were affected by any real-world exploitation, as it was addressed with a server-side fix in May, requiring no action from users.
Microsoft 365 Copilot serves as an AI assistant integrated into widely-used applications such as Word, Excel, Outlook, and Teams. By leveraging OpenAI’s GPT models, it aims to enhance productivity through intelligent content generation and data analysis. However, the EchoLeak vulnerability showcases how even advanced technologies can have unintentional flaws that may lead to data breaches.
While the EchoLeak vulnerability has been patched, the emergence of such threats underscores the necessity for businesses to fortify their cybersecurity protocols. Security experts advocate for stricter prompt injection filters and the exclusion of external communications to alleviate potential breaches. As AI becomes increasingly embedded in daily workflows, companies must remain vigilant against the evolving threat landscape.