Microsoft disclosed CVE-2025-32711, a critical information disclosure flaw in Microsoft 365 Copilot that researchers later detailed as EchoLeak, describing it as the first reported real-world zero-click prompt injection exploit in a production LLM system. The vulnerability carried a CVSS 9.3 rating and allowed a remote, unauthenticated attacker to exfiltrate sensitive data over the network without user interaction, reportedly by sending a single crafted email that Copilot would process.
Research describing the exploit said the attack chained multiple bypasses across LLM trust boundaries, including evasion of Microsoft’s XPIA classifier, use of reference-style Markdown to bypass link redaction, auto-fetched images, and abuse of a Microsoft Teams proxy allowed by content security policy to extract data. Microsoft said the issue had already been fully mitigated in the cloud service and required no customer action, while the broader research and follow-on reporting framed the incident as evidence that prompt injection and "AIjacking" can enable full data exfiltration in enterprise copilots unless controls such as prompt partitioning, stronger filtering, provenance-based access control, stricter CSPs, least privilege, and continuous adversarial testing are in place.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
Microsoft last updated the CVE-2025-32711 advisory to revise the CWE classification, describing the change as informational rather than a new security development.
Public reporting and research descriptions outlined how EchoLeak chained multiple bypasses, including evasion of Microsoft's XPIA classifier, Markdown-based link redaction bypass, auto-fetched images, and abuse of a Microsoft Teams proxy allowed by content security policy.
Microsoft published advisory CVE-2025-32711 for a critical M365 Copilot information disclosure vulnerability caused by AI command injection. The company said the issue had already been fully mitigated, required no customer action, and that it had seen no evidence of in-the-wild exploitation at disclosure.
Security researchers discovered EchoLeak, later assigned CVE-2025-32711, a zero-click prompt injection vulnerability in Microsoft 365 Copilot that could enable remote, unauthenticated data exfiltration via a crafted email.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
labs.zenity.io
Open sourcearxiv.org
Open sourcesimonwillison.net
Open sourcemsrc.microsoft.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.