Echoleak (CVE-2025-32711) could allow threat actors to steal data without the target user having to do anything. According to AIM researchers it is the first known aero-click attack on an AI entity.

It exploits what’s known as an “LLM scope violation” allowing untrusted input from outside the organization. As Copilot has access to Outlook, OneDrive, Sharepoint and other applications, it could be a treasure trove for threat actors.

It begins with a phishing email targeting a user, assuming AI agents (such as CoPilot) will scan the email to produce a summary from URLs. However, instead of a traditional, it is constructed by the attacker and read by the AI engine as instructions to offer up sensitive data.

This type of exploit is being called a “cross-prompt injection attack” or  XPIA. The classifiers typically prevent basic injections from reaching the user, the XPIA relies on phrasing to bypass the checks. This is similar to fooling an AI model like ChatGPT to produce malicious code.

While there is no evidence this has been exploited in the wild, it has been produced in a laboratory setting. Mitigation for this is to apply Microsoft Security updates for 365 Copilot, monitor access to M365 Copilot 3, and implement additional network segmentation and access controls.

Stay safe out there in cyber land!