TL;DR: Microsoft has patched a critical zero-click vulnerability in Copilot that allowed remote attackers to automatically exfiltrate sensitive user data simply by sending an email. Dubbed “EchoLeak,” the security flaw is being described by cybersecurity researchers as the first known zero-click attack targeting an AI assistant.
EchoLeak affected Microsoft 365 Copilot, the AI assistant integrated across several Office applications, including Word, Excel, Outlook, PowerPoint, and Teams. According to researchers at Aim Security, who discovered the vulnerability, the exploit allowed attackers to access sensitive information from apps and data sources connected to Copilot without any user interaction.
Alarmingly, the malicious email did not contain any phishing links or malware attachments. Instead, the attack leveraged a novel technique known as LLM Scope Violation, which manipulates the internal logic of large language models to turn the AI agent against itself.
Researchers warn that this approach could be used to compromise other Retrieval-Augmented Generation chatbots and AI agents in the future. Because it targets fundamental design flaws in how these systems manage context and data access, even advanced platforms such as Anthropic’s Model Context Protocol and Salesforce’s Agentforce could be vulnerable.
Aim Security discovered the flaw in January and promptly reported it to the Microsoft Security Response Center. However, the company took nearly five months to resolve the issue, a timeline that co-founder and CTO Adir Gruss described as on the “very high side of something like this.”
Microsoft reportedly had a hotfix ready by April, but the patch was delayed after engineers uncovered additional vulnerabilities in May. The company initially attempted to contain EchoLeak by blocking its pathways across affected apps, but those efforts failed due to the unpredictable behavior of AI and the vast attack surface it presents.
Following the final update, Microsoft issued a statement thanking Aim Security for responsibly disclosing the issue and confirmed that it had been fully mitigated. The fix was automatically applied to all impacted products and requires no action from end users.
Although there are no known cases of EchoLeak being exploited in the wild, many Fortune 500 companies are reportedly “super afraid” and now re-evaluating their strategies for deploying AI agents across enterprise environments. According to Gruss, the industry needs to implement robust guardrails to prevent similar incidents in the future.
In the meantime, Aim Security is providing interim mitigations to clients using AI agents potentially vulnerable to the same class of attack. But Gruss believes a long-term solution will require a fundamental redesign of how AI agents are built and deployed.
