EchoLeak showed that an embedded AI agent can leak your data from a single email — with no click required.
CVE-2025-32711 (“EchoLeak”) was a CVSS 9.3 zero-click prompt-injection flaw in Microsoft 365 Copilot. A crafted email, retrieved later via the agent’s own context, could exfiltrate internal data without any user interaction.
EchoLeak (CVE-2025-32711, CVSS 9.3) is the first widely documented zero-click attack on a production enterprise AI agent. Disclosed by Aim Security and patched by Microsoft, it needed no user action: an attacker sent a single crafted email, and when a user later asked Microsoft 365 Copilot an unrelated question, the poisoned email was pulled into the agent’s context, executed hidden instructions, and exfiltrated internal content.
Researchers described the root cause as an “LLM scope violation”: the agent’s retrieval system could not reliably separate trusted internal data from untrusted instructions embedded in inbound content. The agent did exactly what it was built to do — retrieve context and act on it — which is precisely why existing email, antivirus, and firewall controls did not catch it. A Checkmarx deep-dive walks the chain in detail.
Why this matters even if you don’t run Copilot
The pattern generalizes to any agent with tool access and retrieval over untrusted data: support assistants reading customer tickets, agents summarizing inboxes, anything that ingests external text and can then act. OWASP now cites this class as Agent Goal Hijack in its agentic risk taxonomy. The defensive question is not “is our vendor secure” but “what is the worst action our agent is permitted to take, and who can stop it.”