‘EchoLeak’ AI Attack Enabled Theft of Sensitive Data via Microsoft 365 Copilot - SecurityWeek

A zero-click attack, dubbed EchoLeak, exploited a vulnerability in Microsoft 365 Copilot, enabling attackers to steal sensitive information. The attack, involving a specially crafted email, bypassed security mechanisms and triggered Copilot to exfiltrate data without user interaction. Microsoft has patched the vulnerability, CVE-2025-32711, and no customer action is required.