A critical Copilot vulnerability allowed for the automatic extraction of sensitive user data by simply sending an email.
EchoLeak was the first known zero-click vulnerability in an AI assistant. It concerned Microsoft 365 Copilotwhich is integrated into several Office applications, including Word, Excel, Outlook, PowerPoint, and Teams. According to the Aim Security researchers who discovered it, the exploit allowed attackers to access sensitive information from programs and data sources connected to Copilot without any user interaction.
The malicious email used for the attack did not contain any phishing links or malware attachments. The attack utilized a new technique known as LLM Scope Violation, which manipulates the internal large language model to set up an AI agent for malicious actions.
A similar approach could be used to compromise other chatbots and AI agents in the future. Because it targets fundamental design flaws in how these systems manage context and data access, even advanced platforms can be vulnerable.
Aim Security discovered the flaw in January and immediately reported it to the Microsoft Response Center. However, it took the company almost five months to resolve the issue, which Adir Gruss, co-founder and CTO, says is extremely long.
Microsoft had a fix ready by April, but its release was delayed after engineers discovered additional vulnerabilities in May. Initially, the company tried to contain EchoLeak by blocking its paths through the affected programs, but these efforts failed due to the unpredictable behavior of artificial intelligence and the huge scope for possible attacks.
Microsoft issued a statement thanking Aim Security for responsibly disclosing the issue and confirming that it has been fully resolved. The fix has been automatically applied to all affected products and does not require any action from end users.