Microsoft Patches Critical Zero-Click Flaw in Microsoft 365 Copilot Microsoft has addressed a severe "zero-click" vulnerability in its Microsoft 365 Copilot AI tool, tracked as CVE-2025-32711 (CVSS 9.3), which could have enabled attackers to exfiltrate sensitive data without user interaction. Discovered by Aim Security and dubbed "EchoLeak," the flaw allowed unauthorized access to a victim’s Outlook emails, OneDrive files, SharePoint sites, and Microsoft Teams chat history via a specially crafted email. The exploit bypassed multiple security layers, including Copilot’s cross-prompt injection attack (XPIA) classifiers and link redaction protections, by leveraging markdown references and a Microsoft Teams URL proxy endpoint to transmit stolen data to an attacker-controlled server. Unlike traditional phishing attacks, this method did not require the victim to click a malicious link—simply referencing the attacker’s email in a Copilot query could trigger the data leak. Aim Security demonstrated that attackers could increase the likelihood of exploitation by sending multiple emails on varied topics or a single long, segmented email covering subjects likely to be queried by the victim. While Microsoft confirmed the flaw had not been exploited in the wild, security experts warn that similar vulnerabilities may exist in other retrieval-augmented generation (RAG)-based AI tools, highlighting a broader risk in AI assistant architectures. The patch resolves the issue, requiring no further user action. However, the incident underscores the need for runtime guardrails, stricter input scoping, and clear separation between trusted and untrusted data in AI systems.