Microsoft 365 Copilot Vulnerable to Zero y6s4u Click EchoLeak Exploit, Cybersecurity Researchers Say

Microsoft eportedly said that it has fixed the Copilot vulnerability and no s were affected by it. w12b

Written by Siddharth Suvarna | Updated: 12 June 2025 19:33 IST

Photo Credit: Reuters 4yb11

The exploit could have been used by bad actors to steal sensitive data from s’ devices

Highlights

The exploit uses agentic capabilities of Copilot
This is said to be the first zero-click exploit on a major AI chatbot
First stage of this exploit uses a plain language email

ment

Microsoft 365 Copilot, the enterprise-focused artificial intelligence (AI) chatbot that works across Office apps, was reportedly vulnerable to a zero-click vulnerability. As per a cybersecurity firm, a flaw existed in the chatbot that could be triggered via a simple text email to hack into it. Once the chatbot was hacked, it could then be made to retrieve sensitive information from the 's device and share it with the attacker. Notably, the Redmond-based tech giant said that it has fixed the vulnerability, and that no s were affected by it.

Researchers Find Zero-Click Vulnerability in Copilot 4n4u3m

In a blog post, AI security startup Aim Security detailed the zero-click exploit and how the researchers were able to execute it. Notably, a zero-click attack refers to hacking attempts where the victim does not have to a file or click on a URL for the attack to be triggered. A simple act such as opening an email can initiate the hacking attempt.

The findings by the cybersecurity firm highlights the risks that AI chatbots pose, especially if they have agentic capability, which refers to the ability of an AI chatbot to access tools to execute actions. For example, Copilot being able to connect to OneDrive and retrieving data from a file stored there to answer a query would be considered an agentic action.

You Can Now Find and Purchase Products Directly in Microsoft's Copilot App

As per the researchers, the attack was initiated using cross-prompt injection attack (XPIA) classifiers. These is a form of prompt injection, where an attacker manipulates the input across multiple prompts, sessions, or messages to influence or control the behaviour of an AI system. The malicious message is often added via attached files, hidden or invisible text, or embedded instructions.

The researchers shared the XPIA by via email. However, they also showed the same could be done via an image (embedding the malicious instruction in the alt text), and even via Microsoft Team by excuting a GET request for a malicious URL. While the first two methods still require the to ask a query about the email or the image, the latter does not require s to take any particular action for the hacking attempt to begin.

“The attack results in allowing the attacker to exfiltrate the most sensitive data from the current LLM context - and the LLM is being used against itself in making sure that the MOST sensitive data from the LLM context is being leaked, does not rely on specific behavior, and can be executed both in single-turn conversations and multi-turn conversations,” the post added.

Notably, a Microsoft spokesperson acknowledged the vulnerability and thanked Aim for identifying and reporting the issue, according to a Fortune report. The issue has now been fixed, and no s were affected by it, the spokesperson told the publication.

Comments

For the latest reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.

Further reading: Cybersecurity

Akash Dutta Email Akash Dutta

Akash Dutta is a Senior Sub Editor at Gadgets 360. He is particularly interested in the social impact of technological developments and loves reading about emerging fields such as AI, metaverse, and fediverse. In his free time, he can be seen ing his favourite football club - Chelsea, watching movies and anime, and sharing ionate opinions on food. More