Rashmi Ramesh reports:
A well-phrased email was all an attacker would have needed to trick Microsoft Copilot into handing over sensitive data until the operating system giant patched the vulnerability.
The vulnerability in Microsoft 365 Copilot allowed attackers to extract sensitive data through a zero-click prompt injection attack, said researchers from Aim Security. Dubbed “EchoLeak” and tracked as CVE-2025-32711, the vulnerability received a CVSS severity score of 9.3. Microsoft patched the flaw prior to public disclosure, adding that there is currently no evidence it was exploited in the wild and that users need not take any action.
Copilot, Microsoft’s generative artificial intelligence suite embedded across Office, can summarize emails, draft documents and analyze spreadsheets. Access to Copilot is typically restricted only to users within a given organization, but Aim Security found that the attack could be triggered by sending an email.
Read more at BankInfoSecurity.