
A novel attack technique named EchoLeak has been characterized as a “zero-click” artificial intelligence (AI) vulnerability that allows bad actors to exfiltrate sensitive data from Microsoft 365 (M365) Copilot’s context sans any user interaction.
The critical-rated vulnerability has been assigned the CVE identifier CVE-2025-32711 (CVSS score: 9.3). It requires no customer action and has been already addressed by Microsoft. There is no evidence that the shortcoming was exploited maliciously in the wild.
“AI command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network,” the company said in an advisory released Wednesday. It has since been added to Microsoft’s Patch Tuesday list for June 2025, taking the total number of fixed flaws to 68.
Aim Security, which discovered and reported the issue, said it’s an instance of a large language model (LLM) Scope Violation that paves the way for indirect prompt injection, leading to unintended behavior.

LLM Scope Violation occurs when an attacker’s instructions embedded in untrusted content, e.g., an email sent from outside an organization, successfully tricks the AI system into accessing and processing privileged internal data without explicit user intent or interaction.
“The chains allow attackers to automatically exfiltrate sensitive and proprietary information from M365 Copilot context, without the user’s awareness, or relying on any specific victim behavior,” the Israeli cybersecurity company said. “The result is achieved despite M365 Copilot’s interface being open only to organization employees.”
In EchoLeak’s case, the attacker embeds a malicious prompt payload inside markdown-formatted content, like an email, which is then parsed by the AI system’s retrieval-augmented generation (RAG) engine. The payload silently triggers the LLM to extract and return private information from the user’s current context.

The attack sequence unfolds as follows –
- Injection: Attacker sends an innocuous-looking email to an employee’s Outlook inbox, which includes the LLM scope violation exploit
- User asks Microsoft 365 Copilot a business-related question (e.g., summarize and analyze their earnings report)
- Scope Violation: Copilot mixes untrusted attacked input with sensitive data to LLM context by the Retrieval-Augmented Generation (RAG) engine
- Retrieval: Copilot leaks the sensitive data to the attacker via Microsoft Teams and SharePoint URLs
Importantly, no user clicks are required to trigger EchoLeak. The attacker relies on Copilot’s default behavior to combine and process content from Outlook and SharePoint without isolating trust boundaries – turning helpful automation into a silent leak vector.
“As a zero-click AI vulnerability, EchoLeak opens up extensive opportunities for data exfiltration and extortion attacks for motivated threat actors,” Aim Security said. “In an ever-evolving agentic world, it showcases the potential risks that are inherent in the design of agents and chatbots.”

“The attack results in allowing the attacker to exfiltrate the most sensitive data from the current LLM context – and the LLM is being used against itself in making sure that the MOST sensitive data from the LLM context is being leaked, does not rely on specific user behavior, and can be executed both in single-turn conversations and multi-turn conversations.”
EchoLeak is especially dangerous because it exploits how Copilot retrieves and ranks data – using internal document access privileges – which attackers can influence indirectly via payload prompts embedded in seemingly benign sources like meeting notes or email chains.
MCP and Advanced Tool Poisoning
The disclosure comes as CyberArk disclosed a tool poisoning attack (TPA) that affects the Model Context Protocol (MCP) standard and goes beyond the tool description to extend it across the entire tool schema. The attack technique has been codenamed Full-Schema Poisoning (FSP).
“While most of the attention around tool poisoning attacks has focused on the description field, this vastly underestimates the other potential attack surface,” security researcher Simcha Kosman said. “Every part of the tool schema is a potential injection point, not just the description.”
![]() |
MCP tool poisoning attacks (Credit: Invariant Labs) |
The cybersecurity company said the problem is rooted in MCP’s “fundamentally optimistic trust model” that equates syntactic correctness to semantic safety and assumes that LLMs only reason over explicitly documented behaviors.
What’s more, TPA and FSP could be weaponized to stage advanced tool poisoning attacks (ATPA), wherein the attacker designs a tool with a benign description but displays a fake error message that tricks the LLM into accessing sensitive data (e.g., SSH keys) in order to address the purported issue.
“As LLM agents become more capable and autonomous, their interaction with external tools through protocols like MCP will define how safely and reliably they operate,” Kosman said. “Tool poisoning attacks — especially advanced forms like ATPA — expose critical blind spots in current implementations.”
That’s not all. Given that MCP enables AI agents (or assistants) to interact with various tools, services, and data sources in a consistent manner, any vulnerability in the MCP client-server architecture could pose serious security risks, including manipulating an agent into leaking data or executing malicious code.
This is evidenced in a recently disclosed critical security flaw in the popular GitHub MCP integration, which, if successfully exploited, could allow an attacker to hijack a user’s agent via a malicious GitHub issue, and coerce it into leaking data from private repositories when the user prompts the model to “take a look at the issues.”
“The issue contains a payload that will be executed by the agent as soon as it queries the public repository’s list of issues,” Invariant Labs researchers Marco Milanta and Luca Beurer-Kellner said, categorizing it as a case of a toxic agent flow.
That said, the vulnerability cannot be addressed by GitHub alone through server-side patches, as it’s more of a “fundamental architectural issue,” necessitating that users implement granular permission controls to ensure that the agent has access to only those repositories it needs to interact with and continuously audit interactions between agents and MCP systems.
Make Way for the MCP Rebinding Attack
The rapid ascent of MCP as the “connective tissue for enterprise automation and agentic applications” has also opened up new attack avenues, such as Domain Name System (DNS) rebinding, to access sensitive data by exploiting Server-Sent Events (SSE), a protocol used by MCP servers for real-time streaming communication to the MCP clients.

DNS rebinding attacks entail tricking a victim’s browser into treating an external domain as if it belongs to the internal network (i.e., localhost). These attacks, which are engineered to circumvent same-origin policy (SOP) restrictions, are triggered when a user visits a malicious site set up by the attacker via phishing or social engineering.
“There is a disconnect between the browser security mechanism and networking protocols,” GitHub’s Jaroslav Lobacevski said in an explainer on DNS rebinding published this week. “If the resolved IP address of the web page host changes, the browser doesn’t take it into account and treats the webpage as if its origin didn’t change. This can be abused by attackers.”
This behavior essentially allows client-side JavaScript from a malicious site to bypass security controls and target other devices on the victim’s private network that are not exposed to the public internet.
![]() |
MCP rebinding attack |
The MCP rebinding attack takes advantage of an adversary-controlled website’s ability to access internal resources on the victim’s local network so as to interact with the MCP server running on localhost over SSE and ultimately exfiltrate confidential data.
“By abusing SSE’s long-lived connections, attackers can pivot from an external phishing domain to target internal MCP servers,” the Straiker AI Research (STAR) team said in an analysis published last month.
It’s worth noting that SSE has been deprecated as of November 2024 in favor of Streamable HTTP owing to the risks posed by DNS rebinding attacks. To mitigate the threat of such attacks, it’s advised to enforce authentication on MCP Servers and validate the “Origin” header on all incoming connections to the MCP server to ensure that the requests are coming from trusted sources.