Hard on the heels of the disclosure of a critical zero-day RCE vulnerability in Microsoft Windows, known as CVE-2025-33053, another security issue affecting Microsoft’s product hits the headlines. Researchers have recently uncovered CVE-2025-32711, dubbed “EchoLeak”, a critical vulnerability in Microsoft’s Copilot AI that lets attackers steal sensitive data via email, without any user interaction. This attack exploits an “LLM scope violation” and marks the first known zero-click attack on an AI agent.
With over 1.4 billion devices running Windows and widespread use of platforms like Azure and Microsoft 365, Microsoft products play a central role in global digital infrastructure. The 2025 BeyondTrust Microsoft Vulnerabilities Report highlighted a record 1,360 Microsoft vulnerabilities disclosed in 2024, an 11% increase from the previous peak. This reflects the ongoing growth of the attack surface and the importance of keeping pace with evolving threats.
Furthermore, with the rapid adoption of AI across industries, cybercriminals are quick to exploit it—weaponizing advanced tools to accelerate and sophisticate their attacks. As highlighted in Check Point Research’s AI Security Report 2025, threat actors are increasingly leveraging AI for deepfake impersonation, automated malware creation, jailbroken LLMs, and GenAI-powered disinformation campaigns, signaling a dangerous shift in the cyber threat landscape.
The discovery of EchoLeak (CVE-2025-32711) underscores the growing intersection between traditional software vulnerabilities and emerging AI threats, meaning cyber defenders should adjust defense strategies to proactively react to novel threats.
Sign up for the SOC Prime Platform to access the global active threats feed, which offers real-time cyber threat intelligence and curated detection algorithms to address emerging threats. Security teams can explore an extensive collection of context-enriched Sigma rules tagged by “CVE,” backed by a complete product suite for AI-powered detection engineering, automated threat hunting, and advanced threat detection.
All the rules are compatible with multiple SIEM, EDR, and Data Lake formats and mapped to the MITRE ATT&CK framework. Additionally, each rule is enriched with CTI links, attack timelines, audit configurations, triage recommendations, and more relevant context. Press the Explore Detections button to see the entire detection stack for proactive defense against critical vulnerabilities filtered by the “CVE” tag.
Security engineers can also leverage Uncoder AI—a private, non-agentic AI purpose-built for threat-informed detection engineering. With Uncoder, defenders can automatically convert IOCs into actionable hunting queries, craft detection rules from raw threat reports, enable ATT&CK tags prediction, leverage AI-driven query optimization, and translate detection content across multiple platforms.
CVE-2025-32711 Analysis
Aim Labs has identified a critical zero-click AI vulnerability in Microsoft 365 Copilot and reported several associated attack chains to Microsoft’s Security Response Center. The flaw, tracked as CVE-2025-32711 and dubbed “EchoLeak,” is considered critical with a CVSS score of 9.3.
The attack leverages a newly uncovered exploitation method, called “LLM Scope Violation,” where external, untrusted input could manipulate the AI model to access and leak confidential data. Potentially exposed information included anything within Copilot’s access scope, such as chat logs, OneDrive files, SharePoint content, Teams messages, and other preloaded organizational data. This marks a significant advancement in understanding how threat actors can exploit the internal workings of AI systems.
The identified attack chains enable automatic exfiltration of sensitive and proprietary data from within the M365 Copilot environment, without requiring any user interaction or specific behavior. Notably, this occurs even though Copilot’s interface is restricted to internal organizational use. Threat actors only need to send an email, regardless of the sender’s identity, to trigger the exploit. Researchers emphasize the severity of the flaw, indicating that most organizations might be vulnerable due to Copilot’s default configuration, although there is no evidence of actual exploitation.
As a zero-click vulnerability, EchoLeak presents serious implications for data theft and extortion, highlighting the broader risks linked to the architecture of AI agents and chatbots in agentic systems. This attack represents a groundbreaking and practical exploitation method targeting LLM applications, where adversaries can weaponize the model against itself to extract the most sensitive data from its context. At its core, the attack combines traditional security flaws, such as CSP bypass, along with AI-specific vulnerabilities like prompt injection. Critically, it highlights systemic design weaknesses present in many RAG systems and AI agents.
Microsoft confirmed in its corresponding advisory that the issue has been fully resolved and no further action is required from customers. As potential CVE-2025-32711 mitigation measures, the vendor also offers DLP tags to block processing of external emails, along with a new M365 Roadmap feature that restricts Copilot from accessing emails labeled with sensitivity tags. However, enabling these controls may reduce Copilot’s functionality, as it limits access to external or sensitive content. Additionally, Aim Labs researchers have created real-time guardrails designed to prevent LLM scope violation vulnerabilities. These protections can be applied broadly across AI agents and RAG-based applications, not limited to M365 Copilot.
The exploitation risks extend far beyond a single platform, emphasizing the urgent need for proactive defenses, rigorous threat modeling, and the implementation of robust safeguards in AI-driven applications. To stay ahead of increasingly sophisticated threats fueled by the rapid adoption and misuse of AI by adversaries, SOC Prime Platform offers an enterprise-ready product suite that fuses ethical AI, automation, real-time threat intelligence, and is built on privacy-first, zero-trust principles, empowering organizations to strengthen their cybersecurity resilience.
The post CVE-2025-32711 Vulnerability: “EchoLeak” Flaw in Microsoft 365 Copilot Could Enable a Zero-Click Attack on an AI Agent appeared first on SOC Prime.
